As for privacy nightmares, it’s pretty bad: a glaring security flaw in a popular iPhone call recording app would have literally left anyone listening to a user’s recordings if they knew the target’s phone number.
Call Recorder claims to have over a million global downloads. This makes it all the more worrying that the application’s security flaws seem to have been so easily discovered by Anand Prakash, security researcher and founder of Pingsafe AI. Prakash recently shared his findings with TechCrunch.
Apps like Call Recorder are a fairly popular way to keep track of business-related meetings and calls, even though they have had raised significant privacy and security issues due to the way it stores such sensitive data in the cloud. In general, storing application data through cloud services it can be a rather uncertain proposition if that storage does not have adequate protection.
In this particular case, access to the Call Recorder’s cloud compartment – and thus to thousands of stored phone conversations – could be easily reduced by exploiting an open security hole.
After creating an account with the app, Prakash discovered that it can access and manipulate web traffic traveling to and from it using a common penetration testing program. From there, he found that if he replaced the phone number he registered with Call Recorder with a different number, the app would deliver that user’s data to his phone, including stored phone calls and associated metadata.
G / O Media may receive a commission
“The vulnerability allowed any malicious actor to listen to any user’s call log in the application’s cloud storage compartment and an unauthenticated API endpoint that leaked the victim’s cloud storage URL.” Prakash writes.
After Prakash contacted the developer of the application, a new secure version of Call Recorder was relaunched on Saturday. TechCrunch reports that at the time of the correction, there were approximately 300 gigabytes of data, or “more than 130,000 audio recordings” stored in the cloud compartment of the Call Recorder.
We have contacted the developer of the app for comments and we will update this post when we hear.