In terms of privacy nightmares, this one is pretty bad – a glaring security flaw in a popular iPhone call recording app would have allowed literally anyone to listen to a user’s recordings had they known their target’s phone number.
Call recorder claims to have over a million global downloads. This makes it even more concerning that application security flaws appear to have been so easily discovered by Anand Prakash, a security researcher and founder of Pingsafe AI. Prakash recently shared his findings. with TechCrunch.
Apps like Call Recorder are a fairly popular way to keep track of business-related calls and meetings, although they have raised significant privacy and security concerns due to the way they store this sensitive data in the cloud. In general, application data storage through cloud services can be quite a dubious proposition if that storage does not have adequate protections.
In this particular case, access to the Call Recorder cloud repository, and therefore thousands of stored phone conversations, could be easily manipulated by exploiting a huge security hole.
After creating an account with the app, Prakash discovered that it could access and manipulate the web traffic traveling to and from it using a common penetration testing program. From there, he discovered that if he replaced the phone number he had registered in Call Recorder with a different number, the app would deliver that user’s data to his phone, including stored phone calls and associated metadata.
G / O Media can get a commission
“The vulnerability allowed any malicious actor to listen to the call recording of any user from the application’s cloud storage repository and an unauthenticated API endpoint that leaked the cloud storage URL of the victim’s data. “. Prakash writes.
After Prakash contacted the app’s developer, a new secure version of Call Recorder was re-released on Saturday. TechCrunch reports that, at the time of the patch, there was around 300 gigabytes of data, or “more than 130,000 audio recordings” stored in the Call Recorder cloud repository.
We have reached out to the app developer for feedback and will update this post when we have news.