UPDATED 21:56 EDT / MARCH 09 2021


Vulnerability in iPhone app exposed recorded phone calls

A vulnerability in an iOS call recording app was found to give access to recorded phone calls by knowing the phone number of a user.

Detailed today by Anand Prakash from PingSafe AI, the vulnerability was discovered in an app known as “Automatic Call Recorder” that had been downloaded more than a million times from the Apple App Store. As its name suggests, the app records incoming and outgoing phone calls automatically.

The vulnerability related to insecure communications going in and out of the app. Using a proxy tool such as Burp Suite, Prakash could view and modify network traffic, allowing him to pass another user’s number in the recording request. The application programming interface would then respond with the URL of the Amazon Web Services Inc. S3 storage bucket where the recording was being stored.

The company behind Automatic Call Recorder was informed of the vulnerability and a new version of the app went live on the App Store March 6. Any users who do not automatically have their apps updated are advised to install the update as soon as possible.

“Security issues like this are catastrophic in nature,” Prakash said. “Along with impacting customer’s privacy, these also dents the company’s image and provides added advantage to the competitors.”

Anurag Kahol, chief technology officer at cloud access security broker Bitglass Inc., told SiliconANGLE that anyone could have easily accessed the thousands of call recordings during the timeframe of exposure simply by knowing a user’s phone number.

“This was not only a violation of data privacy but also put the affected users at physical and cyber risk if their recorded conversations contained sensitive, personal details,” he said. “App makers that fail to invest in their own cybersecurity readiness must recognize that the fines they could face for non-compliance with data privacy laws are incredibly expensive – not to mention the cost of losing their customers’ trust.”

Image: Automatic Call Recorder

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy