In terms of privacy nightmares, this one is pretty bad: a glaring security flaw in a popular iPhone call recorder app would have let literally anyone listen to a user’s recordings if they knew their target’s phone number.
The app in question, Call Recorder, claims to have over a million global downloads. This makes it all the more worrying that its security flaws were so easily discovered by Anand Prakash, a security researcher and founder of Pingsafe AI. Prakash recently shared his findings with TechCrunch.
Apps like Call Recorder are a pretty popular way to keep track of business-related meetings and calls, though they have raised significant privacy and security concerns due to the way in which they store such sensitive data in the cloud. In general, app data storage via cloud services can be a pretty iffy proposition if that storage doesn’t have the proper protections.
In this particular case, access to Call Recorder’s cloud bucket—and thus, to thousands of stored phone conversations—could be easily jimmied through the exploitation of a gaping security hole.
After creating an account with the app, Prakash found that he could access and manipulate web traffic traveling to and from it using a common penetration testing program. From there, he discovered that if he replaced the phone number he had registered with Call Recorder with a different number, the app would deliver that user’s data to his phone, including stored phone calls and associated metadata.
“The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data,” Prakash writes.
After Prakash reached out to the app developer, a new, secure version of Call Recorder was re-launched on Saturday. TechCrunch reports that, at the time of the patching, there were about 300 gigabytes of data, or “more than 130,000 audio recordings” stored in Call Recorder’s cloud bucket.
We have reached out to the app developer for comment and will update this post when we hear back.