PingSafe AI discovered the security flaw in the iPhone call recording app


    PingSafe AI, a safety firm that oversees many infringements in real-time, has found a vital vulnerability within the iPhone automatic call recorder application that revealed 1000s of users’ recorded calls. The vulnerability was found by Anand Prakash who is a security researcher and also the founder of PingSafe AI. He discovered that the app which is named “Call Recorder” enabled everyone to hear the call recordings of others by using just their number.

    The vulnerability is related to insecure communications going in and out of the app. Utilizing a proxy tool like Burp Suite, or any other, anyone could have viewed and modified network traffic, enabling them to pass another user’s number in the recording request. PingSafe AI also discovered that the application’s IPA file even utilized hostnames, S3 buckets, and other sensitive user data.

    “Security issues like this are catastrophic in nature,” Prakash said. “Along with impacting customer’s privacy, these also harm the company’s image and provide an added advantage to the competitors.”

    Prakash was successful in discovering this vulnerability utilizing the application vulnerability testing program Burp Suite/ZAP, which revealed to him a POST API suggestion to modify the person’s UserID to their phone number with any country code. The Amazon Web Services cloud storage server was also found open which left the files inside exposed and without any restriction, the files could not be accessed or downloaded. Apple was successful in shutting down the bucket quite early for the press coverage of this vulnerability.

    After recall and mitigation of this bug, the company behind Automatic Call Recorder was notified about the vulnerability and a new version of the app was released on the App Store on March 6. The company has asked the users who have restricted the automatic update, to install the update as soon as possible.

    Recent Articles

    Cypress announced the release of Cypress Component Test Runner, the leading automated testing platform announced on 6th April 2021, the release of Cypress’s dedicated Component Test Runner. The Test Runner is formulated...

    Weekly Newsletter (4th Apr’ 21 to 10th Apr’ 21)

      Here’s the Weekly Newsletter from 4th April’ 2021 to 10th April’ 2021: 1. Tricentis acquires Neotys to broaden its continuous software testing capabilities - Tricentis,...

    Catchpoint announces General Availability of WebPageTest API with enhanced features

      Catchpoint, the digital experience monitoring solution provider announced on 6th April 2021, the public availability of the WebPageTest API which was initially accessible by...

    Dynatrace introduces Cloud-Based Automation to enhance its Software Intelligence Platform

      Software intelligence corporation Dynatrace has enhanced and added new capabilities in cloud-based automation to its software intelligence platform. The capabilities are provided through a...

    FailQonf – Conference on Failures around Testing & Quality

      FailQonf is a Software Testing Conference organized by The Test Trible - India's largest Software Testing Community. While Failure is a common element of...

    Related Stories

    Stay on op - Ge the daily news in your inbox