A vulnerability in an iOS call recording app was found to give access to recorded phone calls by knowing the phone number of a user.

Detailed today by Anand Prakash from PingSafe AI, the vulnerability was discovered in an app known as “Automatic Call Recorder” that had been downloaded more than a million times from the Apple App Store. As its name suggests, the app records incoming and outgoing phone calls automatically.

The vulnerability related to insecure communications going in and out of the app. Using a proxy tool such as Burp Suite, Prakash could view and modify network traffic, allowing him to pass another user’s number in the recording request. The application programming interface would then respond with the URL of the Amazon Web Services Inc. S3 storage bucket where the recording was being stored.

The company behind Automatic Call Recorder was informed of the vulnerability and a new version of the app went live on the App Store March 6. Any users who do not automatically have their apps updated are advised to install the update as soon as possible.

“Security issues like this are catastrophic in nature,” Prakash said. “Along with impacting customer’s privacy, these also dents the company’s image and provides added advantage to the competitors.”

Anurag Kahol, chief technology officer at cloud access security broker Bitglass Inc., told SiliconANGLE that anyone could have easily accessed the thousands of call recordings during the timeframe of exposure simply by knowing a user’s phone number.

“This was not only a violation of data privacy but also put the affected users at physical and cyber risk if their recorded conversations contained sensitive, personal details,” he said. “App makers that fail to invest in their own cybersecurity readiness must recognize that the fines they could face for non-compliance with data privacy laws are incredibly expensive – not to mention the cost of losing their customers’ trust.”

Image: Automatic Call Recorder