In terms of privacy nightmares, this is pretty bad: a glaring security flaw in a popular iPhone call recording app would have literally left anyone listening to a user’s recordings if they knew their target’s phone number. .
Call recorder claims to have over a million downloads worldwide. This makes it even more troubling that the app’s security flaws seem to have been discovered so easily by Anand Prakash, security researcher and founder of Pingsafe AI. Prakash recently shared his findings with TechCrunch.
Apps like Call Recorder are a pretty popular way to keep track of business-related meetings and calls, though raised important privacy and security issues due to the way they store such sensitive data in the cloud. In general, data storage from applications using cloud services it can be a rather dubious proposition if this storage does not have the proper protections.
In this particular case, access to the Call Recorder cloud repository — and therefore to thousands of stored phone conversations — could be easily reduced by exploiting an open security hole.
After creating an account with the app, Prakash found that it could access and manipulate web traffic traveling from and to it using a common penetration testing program. From there, he discovered that if he replaced the phone number he had registered in Call Recorder with a different number, the app would deliver that user’s data to his phone, including stored calls and associated metadata.
G / O Media may receive a commission
“The vulnerability allowed any malicious actor to listen to any user’s call recording from the application’s cloud storage repository and an unauthenticated API that filtered the cloud storage URL of the data. the victim “. Prakash writes.
After Prakash contacted the app developer, a new secure version of Call Recorder was released on Saturday. TechCrunch reports that at the time of the patch, there was about 300 gigabytes of data, or “more than 130,000 audio recordings” stored in the Call Recorder cloud repository.
We have contacted the app developer for feedback and will update this post when we receive news.