PingSafe AI discovered the security flaw in the iPhone call recording app


    PingSafe AI, a safety firm that oversees many infringements in real-time, has found a vital vulnerability within the iPhone automatic call recorder application that revealed 1000s of users’ recorded calls. The vulnerability was found by Anand Prakash who is a security researcher and also the founder of PingSafe AI. He discovered that the app which is named “Call Recorder” enabled everyone to hear the call recordings of others by using just their number.

    The vulnerability is related to insecure communications going in and out of the app. Utilizing a proxy tool like Burp Suite, or any other, anyone could have viewed and modified network traffic, enabling them to pass another user’s number in the recording request. PingSafe AI also discovered that the application’s IPA file even utilized hostnames, S3 buckets, and other sensitive user data.

    “Security issues like this are catastrophic in nature,” Prakash said. “Along with impacting customer’s privacy, these also harm the company’s image and provide an added advantage to the competitors.”

    Prakash was successful in discovering this vulnerability utilizing the application vulnerability testing program Burp Suite/ZAP, which revealed to him a POST API suggestion to modify the person’s UserID to their phone number with any country code. The Amazon Web Services cloud storage server was also found open which left the files inside exposed and without any restriction, the files could not be accessed or downloaded. Apple was successful in shutting down the bucket quite early for the press coverage of this vulnerability.

    After recall and mitigation of this bug, the company behind Automatic Call Recorder was notified about the vulnerability and a new version of the app was released on the App Store on March 6. The company has asked the users who have restricted the automatic update, to install the update as soon as possible.

    Recent Articles

    Amazon Web Services announces AWS BugBust—the World’s First Global Competition to Find and Fix 1 Million Software Bugs

      Amazon Web Services, Inc. (AWS), an, Inc. company, announced on 24th June 2021, the AWS BugBust Challenge, the world's first global challenge for...

    Indian Girl awarded ₹22 lakhs from Microsoft for finding a bug in Azure under its Bug Bounty Program

      Aditi Singh, a 20-year-old ethical hacker from Delhi, recently received a $30,000 (about Rs 22 lakh) bounty for discovering a bug in Microsoft's Azure...

    Grafana Labs acquired K6 Startup, Grafana and K6 will work together on an integrated offering

      Grafana Labs acquired K6 Startup, the announcement came on 17th June. K6 startup is developing an open-source load testing solution for engineering teams. Grafana...

    Wipro partners with IBM to use IBM’s Automation Foundation and Cloud Paks for Automation

      Wipro announced its intention to join IBM's ecosystem of partners on 15th June 2021. This will help Wipro in managing and modernizing mission-critical workloads...

    ACCELQ Platform announces QBlog Contest 2021

      ACCELQ has recently launched its QBlog Contest for the year 2021. QBlog Contest is open for all the people that are a part of...

    Related Stories

    Stay on op - Ge the daily news in your inbox