In terms of privacy nightmares, this one is pretty bad: a noticeable security flaw in a popular iPhone call recording app would have literally made everyone listen to a user’s recordings if they knew their phone number of their target.
Call recorder claims to have more than a million worldwide downloads. This makes it all the more worrying that the app’s security issues seem to have been so easily discovered by Anand Prakash, a security researcher and founder of Pingsafe AI. Prakash recently shared his findings with TechCrunch.
Programs like Call Recorder are a very popular way to keep track of business related meetings and calls, although they are raised significant privacy and security concerns because of the way they store such sensitive data in the cloud. General app storage of data via cloud services can be a pretty infallible proposition if the storage space does not have the correct protection.
In this particular case, access to Call Recorder’s cloud bucket – and thus to thousands of stored phone calls – can be easily scrapped by using a gaping security hole.
After creating an account with the app, Prakash found that he could access and manipulate the web traffic that traveled to and from there using a common penetration testing program. From there, he discovers that the app would deliver the user’s data on his phone, including stored calls and associated metadata, should he replace the phone number he registered with Call Recorder with another number.
G / O Media can get a commission
“The vulnerability enabled each malicious actor to eavesdrop on any user’s call recorder from the application’s cloud storage and an unauthorized API endpoint that leaked the victim’s cloud storage URL, ‘ Prakash writes.
After Prakash reached the app developer, a new, secure version of Call Recorder was re-launched on Saturday. TechCrunch reports that at the time of loading, approximately 300 gigabytes of data, or ‘more than 130,000 audio recordings’, were stored in Call Recorder’s cloud cache.
We & # 39; ve contacted the app developer for comment and will update this post when we hear about it.