PingSafe AI, a safety firm that oversees many infringements in real-time, has found a vital vulnerability within the iPhone automatic call recorder application that revealed 1000s of users’ recorded calls. The vulnerability was found by Anand Prakash who is a security researcher and also the founder of PingSafe AI. He discovered that the app which is named “Call Recorder” enabled everyone to hear the call recordings of others by using just their number.
The vulnerability is related to insecure communications going in and out of the app. Utilizing a proxy tool like Burp Suite, or any other, anyone could have viewed and modified network traffic, enabling them to pass another user’s number in the recording request. PingSafe AI also discovered that the application’s IPA file even utilized hostnames, S3 buckets, and other sensitive user data.
“Security issues like this are catastrophic in nature,” Prakash said. “Along with impacting customer’s privacy, these also harm the company’s image and provide an added advantage to the competitors.”
Prakash was successful in discovering this vulnerability utilizing the application vulnerability testing program Burp Suite/ZAP, which revealed to him a POST API suggestion to modify the person’s UserID to their phone number with any country code. The Amazon Web Services cloud storage server was also found open which left the files inside exposed and without any restriction, the files could not be accessed or downloaded. Apple was successful in shutting down the bucket quite early for the press coverage of this vulnerability.
After recall and mitigation of this bug, the company behind Automatic Call Recorder was notified about the vulnerability and a new version of the app was released on the App Store on March 6. The company has asked the users who have restricted the automatic update, to install the update as soon as possible.