An iOS call recording app patched a security vulnerability that gave anyone access to the conversations of thousands of users by simply providing the correct phone numbers.
The application’s name is “Automatic call recorder” or “Acr call recorder” and has thousands of user reviews in App Store amounting to a rating above 4 stars; it has also been listed among the top call recording apps for iPhone.
Fetching more than recordings
Using open-source intelligence, security researcher Anand Prakash, founder of PingSafe AI, found the app’s cloud storage on Amazon along with host names and some sensitive data that it used.
By passing the app’s network traffic through a web proxy tool like Burp or Zap, an attacker could insert the phone number of any app user in the recordings request.
Because the responding API did not run any authentication, it returned the recordings associated with the phone number passed in the request. Even more, it also leaked that user’s entire call history, Prakash says.
On its website, the app boasts having over one million downloads from users in more than 20 countries.
Prakash worked with TechCrunch on the vulnerability disclosure. Zack Whittaker from the media outlet contacted the app’s developer, who released a new version with the fix.
According to Whittaker, the app’s storage bucket on Amazon contained over 130,000 recordings weighing around 300 gigabytes.