A security researcher and founder of PingSafe AI, Anand Parkash, discovered that users’ data recorded on a popular iPhone app ‘Automatic Call Recorder’ could be accessed easily via unauthenticated API. The security vulnerability gave miscreants listened to users’ calls.
Automatic Call Recorder app allows users to record all domestic and international incoming and outgoing calls. It also offers users to edit, organize and upload recordings on business platforms like Slack, Google Drive, Dropbox, and OneDrive.
Luckily, the vulnerability was discovered on February 27, and on the same day with TechCrunch’s help, the researcher was able to reach out to the developer. By March 6, the developer acknowledged the bug and released a fix in a new update of the app.
A bug on the ‘Automatic Call Recorder’ iPhone app exposed thousands of users calls
PingSafe AI uses an intelligent risk evaluation engine to monitor a company’s security health by assessing all domains, IPs, mobile applications, leaked credentials, and source codes. Using its AI, Parkash explained that he was able to manipulate the app’s API to access and listen to users’ calls.
The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data.
This vulnerability existed in the “/fetch-sinch-recordings.php” API endpoint of the “Automatic Call Recorder” application. An attacker can pass another user’s number in the recordings request and the API will respond with recording url of the storage bucket without any authentication. It also leaks victim’s entire call history and the numbers on which calls were made.
Although the bug has been fixed, Parkash writes that such a security lapse can be very dangerous for the users and damaging for the developer.
Security issues like this are catastrophic in nature. Along with impacting customer’s privacy, these also dents the company’s image and provides added advantage to the competitors.
The update of Automatic Call Recorder is now available on the App Store, it is compatible with iPhone and iPad and requires iOS 10.0 or later.
- Apple seeds macOS Big Sur 11.2.3 update with WebKit security fixes
- Apple updates its Platform Security for 2021 with Car Key security, password monitoring and more
- Apple fixed a massive security issue with iPhones that could let hackers remotely control them
- Apple sends out rooted iPhones to participants in Security Research Device Program