An iOS call recorder app was found exposing the conversations of thousands of its users. Bad actors could get access to private conversations by bypassing the app’s network traffic and providing the correct phone numbers.
The application called either “Automatic call recorder” or “Acr call recorder” has thousands of user reviews in App Store and a rating above 4 stars, and has been named among the top call recording apps for iPhone.
The bug was found and reported by Anand Prakash, founder of PingSafe AI.
Using open-source intelligence, the security researcher found the app’s cloud storage on Amazon that hosted the app users’ names and other sensitive data.
Using a web proxy tool like Burp or Zap to bypass the app’s network traffic an attacker could insert the phone number of any user in the recording’s request. The responding API did not run any authentication but freely returned the recordings associated with the phone number. What’s more, the bucket also leaked that user’s call history, Prakash says.
According to the app’s website, over one million users downloaded the call recorder in more than 20 countries.
Prakash first reported the vulnerability to TechCrunch. The news portal verified the findings with a spare phone and a dedicated account. Zack Whittaker of TechCrunch confirmed the configuration flaw allowed anyone to access other users’ voice recordings by knowing their phone number. He also said the app’s storage bucket on Amazon stored more than 130,000 recordings amounting to about 300 Gb.
Whittaker contacted the app’s developer who then released an app update that fixed the vulnerability on Saturday.
TechCrunch withheld from publishing the news about the bug until the flaw was fixed by the developer. The app’s release notes simply said the app update patched “a security report.”