iPhone Call Recorder bug gave acess to other people’s conversations


An iOS call recording app patched a security vulnerability that gave anyone access to the conversations of thousands of users by simply providing the correct phone numbers.

The application’s name is “Automatic call recorder” or “Acr call recorder” and has thousands of user reviews in App Store amounting to a rating above 4 stars; it has also been listed among the top call recording apps for iPhone.

Fetching more than recordings

Using open-source intelligence, security researcher Anand Prakash, founder of PingSafe AI, found the app’s cloud storage on Amazon along with host names and some sensitive data that it used.

By passing the app’s network traffic through a web proxy tool like Burp or Zap, an attacker could insert the phone number of any app user in the recordings request.

Because the responding API did not run any authentication, it returned the recordings associated with the phone number passed in the request. Even more, it also leaked that user’s entire call history, Prakash says.

On its website, the app boasts having over one million downloads from users in more than 20 countries.

Prakash worked with TechCrunch on the vulnerability disclosure. Zack Whittaker from the media outlet contacted the app’s developer, who released a new version with the fix.

According to Whittaker, the app’s storage bucket on Amazon contained over 130,000 recordings weighing around 300 gigabytes.


Next Post

Employers aren't training staff to use new tech tools. Employees are paying the price

Thu Mar 11 , 2021
Organizations have invested millions in new technology over the past year, yet fewer than one in 10 businesses have trained staff in to use the tools. Little surprise, then, that employees are using them incorrectly – and getting in trouble for it. Research suggests training is lagging behind tech investment, […]