In terms of privacy nightmares, this is very bad: a glaring security breach in an iPhone call recorder app would have literally let anyone listen to a user’s recordings if they knew their target’s phone number.
Call Recorder claims to have more than one million global downloads. This makes it even more worrying that the security holes in the app seem to have been discovered so easily by Anand Prakash, a security researcher and founder of Pingsafe AI. Prakash recently shared his findings with TechCrunch.
Apps like Call Recorder are a very popular way to keep track of business-related meetings and calls, even though they have raised significant privacy and security issues due to the way they store this sensitive data in the cloud. In general, storing application data through cloud services can be a very dubious proposition if that storage does not have adequate protections.
In this specific case, access to the Call Recorder’s cloud bucket – and therefore thousands of stored phone conversations – could be easily manipulated by exploiting a security breach.
After creating an account with the app, Prakash found that he could access and manipulate the web traffic that travels to and from it using a common penetration testing program. From there, he found that if he replaced the phone number he had registered with Call Recorder with a different number, the app would deliver user data to his phone, including stored calls and associated metadata.
G / O Media can receive a commission
“The vulnerability allowed any malicious agent to listen to the call recording of any user from the application’s cloud storage bucket and an unauthenticated API endpoint that leaked the cloud storage URL of the victim’s data,” Prakash wrotes about.
After Prakash contacted the app’s developer, a new secure version of Call Recorder was relaunched on Saturday. TechCrunch reports that, at the time of the correction, there were about 300 gigabytes of data, or “more than 130,000 audio recordings” stored in the Call Recorder’s cloud bucket.
We’ve contacted the app’s developer to comment and will update this post when we have a response.