Published On: Wed, Mar 10th, 2021

A bug in a renouned iPhone app unprotected thousands of call recordings

A confidence disadvantage in a renouned iPhone call recording app unprotected thousands of users’ accessible conversations.

The smirch was detected by Anand Prakash, a confidence researcher and owner of PingSafe AI, who found that a aptly named Call Recorder app authorised anyone to entrance a call recordings from other users — by meaningful their phone number.

But regulating a straightforwardly accessible substitute apparatus like Burp Suite, Prakash could perspective and cgange a network trade going in and out of a app. That meant he could reinstate his phone series purebred with a app with a phone series of another app user, and entrance their recordings on his phone.

TechCrunch accurate Prakash’s commentary regulating a gangling phone with a dedicated account.

The app stores a user’s call recordings on a cloud storage bucket hosted on Amazon Web Services. Although a cloud storage server was open and listed a files inside, a files could not be accessed or downloaded. The bucket was sealed by press time.

Data is a world’s many profitable (and vulnerable) resource

At a time of writing, a cloud storage bucket had some-more than 130,000 audio recordings, amounting to some 300 gigabytes. The app says it has some-more than 1 million downloads to date.

TechCrunch contacted a app developer and hold this story until a smirch was fixed. A new chronicle of a app was submitted to Apple’s app store on Saturday. The recover records pronounced a app refurbish was to “patch a confidence report.”

Despite a brief response to a initial email acknowledging a confidence issue, a app developer Arun Nair has not returned several requests for comment.

Send tips firmly over Signal and WhatsApp to +1 646-755-8849. You can also send files or papers using SecureDrop.

Apple releases critical iPhone, iPad, Mac and Watch confidence patches

About the Author