Popular iPhone app Call Recorder contained a flaw that exposed thousands of phone recordings. The bug also allowed threat actors to gain access to such phone or call recordings, provided other users know their target’s phone number.
Call Recorder is an iPhone app designed to provide users with the means to record phone calls, including incoming and outgoing ones. These are used primarily for business-related concerns and meetings. These phone recordings are stored on a cloud using an Amazon Web Services (AWS) server.
The app has been downloaded more than one million times. Meanwhile, Phone Arena reports that the business app belongs to the top 20 programs in over 20 countries.
According to Tech Crunch, security researcher and PingSafe AI founder Anand Prakash discovered the security flaw. The security researcher reportedly used a proxy tool like Burp Suite, readily available on the web to conduct his initial investigation.
Based on the news site, Prakash successfully gained access to the network traffic of the iOS Call Recorder app. Tech Crunch also revealed that this meant the security researcher could not only see the incoming and outgoing calls but also has the capacity to drive changes towards the network traffic.
Prakash discovered that using the penetration testing program via a proxy tool, he can replace the phone number initially provided or registered with Call Recorder with another number. Following such actions, the iOS app would route and deliver the said network traffic to his phone. This includes the stored phone calls as well as the related metadata.
In a statement by Prakash in a blog post, he said, “The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data.”
As of writing, Tech Crunch reports that the Amazon Web Services cloud storage bucket contains over 130,000 audio files and recordings. This amounts to 300 gigabytes worth of files. The news site states that while the cloud storage server was open to the public, the account data and recorded files cannot be downloaded.
With the discovery of Prakash on February 27, 2021, the security researcher reached out to the developer of Call Recorder. Following this, the developer released a patch for the said vulnerability just last Saturday, March 6, 2021.
As the new update was submitted on the App Store, a note reportedly accompanied it saying it was created to “patch a security report,” states Tech Crunch.