a bug in a popular iphone app exposed thousands of call recordings
iPhone Call Recording App Exposed User Data
A significant security weakness within a widely-used iPhone application designed for call recording resulted in the exposure of thousands of users' private conversations.
Vulnerability Discovery
The security flaw was identified by Anand Prakash, a security researcher and the founder of PingSafe AI. He determined that the Call Recorder app permitted unauthorized access to call recordings belonging to other users, simply by knowing their associated phone number.
Prakash leveraged a common proxy tool, Burp Suite, to inspect and manipulate the network communications of the application.
Exploitation of the Flaw
Through this method, Prakash was able to substitute his own registered phone number with that of another user within the app’s network traffic.
This allowed him to gain access to and view the recordings of other users directly on his device.
Verification of Findings
TechCrunch independently confirmed Prakash’s research using a separate phone and a newly created account.
Cloud Storage Exposure
The application stored user call recordings on a cloud storage solution hosted by Amazon Web Services. While the storage server was publicly accessible and listed the contained files, direct access or download of those files was initially prevented.
However, the storage bucket has since been secured and closed.
Scale of the Data Breach
At the time the vulnerability was reported, the cloud storage bucket contained over 130,000 audio recordings, totaling approximately 300 gigabytes of data.
The app developer reports exceeding 1 million downloads.
Developer Response and Patch
TechCrunch alerted the app developer to the security issue and delayed publication to allow for remediation.
A revised version of the application was submitted to Apple’s app store on Saturday, with release notes indicating a security patch.
Lack of Further Communication
Despite an initial acknowledgment of the security concern, the app developer, Arun Nair, has not responded to subsequent requests for further comment.
Secure communication channels are available via Signal and WhatsApp at +1 646-755-8849. Files and documents can also be submitted using SecureDrop.
Zack Whittaker
Contacting Zack Whittaker
Zack Whittaker currently serves as the security editor for TechCrunch, a prominent technology news outlet.
In addition to his editorial role, he is the author of "this week in security," a regularly distributed cybersecurity newsletter.
Methods of Communication
For secure communication, Zack Whittaker can be contacted via encrypted messaging through Signal, using the username zackwhittaker.1337.
Alternative methods for reaching him include email correspondence.
To ensure the legitimacy of any outreach, verification can be obtained by emailing zack.whittaker@techcrunch.com.
Important Note: This email address is specifically intended for verifying the authenticity of communications.