iPhone Call Recorder App Exposed 130,000 User Conversations

iPhone Call Recorder App Exposed 130,000 User Conversations

An iOS call recorder app was found exposing the conversations of thousands of its users. Bad actors could get access to private conversations by bypassing the app’s network traffic and providing the correct phone numbers.

The application called either “Automatic call recorder” or “Acr call recorder” has thousands of user reviews in App Store and a rating above 4 stars, and has been named among the top call recording apps for iPhone.

The bug was found and reported by Anand Prakash, founder of PingSafe AI. 

Using open-source intelligence, the security researcher found the app’s cloud storage on Amazon that hosted the app users’ names and other sensitive data.

Using a web proxy tool like Burp or Zap to bypass the app’s network traffic an attacker could insert the phone number of any user in the recording’s request. The responding API did not run any authentication but freely returned the recordings associated with the phone number. What’s more, the bucket also leaked that user’s call history, Prakash says.

According to the app’s website, over one million users downloaded the call recorder in more than 20 countries.

Prakash first reported the vulnerability to TechCrunch. The news portal verified the findings with a spare phone and a dedicated account. Zack Whittaker of TechCrunch confirmed the configuration flaw allowed anyone to access other users’ voice recordings by knowing their phone number. He also said the app’s storage bucket on Amazon stored more than 130,000 recordings amounting to about 300 Gb.

Whittaker contacted the app’s developer who then released an app update that fixed the vulnerability on Saturday.

TechCrunch withheld from publishing the news about the bug until the flaw was fixed by the developer. The app’s release notes simply said the app update patched “a security report.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.