A security vulnerability in an iPhone voice recording app exposed users calls malicious attacks

A security researcher and founder of PingSafe AI, Anand Parkash, discovered that users’ data recorded on a popular iPhone app ‘Automatic Call Recorder’ could be accessed easily via unauthenticated API. The security vulnerability gave miscreants listened to users’ calls.

Automatic Call Recorder app allows users to record all domestic and international incoming and outgoing calls. It also offers users to edit, organize and upload recordings on business platforms like Slack, Google Drive, Dropbox, and OneDrive.

Luckily, the vulnerability was discovered on February 27, and on the same day with TechCrunch’s help, the researcher was able to reach out to the developer. By March 6, the developer acknowledged the bug and released a fix in a new update of the app.

iPhone call recording app

A bug on the ‘Automatic Call Recorder’ iPhone app exposed thousands of users calls

PingSafe AI uses an intelligent risk evaluation engine to monitor a company’s security health by assessing all domains, IPs, mobile applications, leaked credentials, and source codes. Using its AI, Parkash explained that he was able to manipulate the app’s API to access and listen to users’ calls.

The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data.

This vulnerability existed in the “/fetch-sinch-recordings.php” API endpoint of the “Automatic Call Recorder” application. An attacker can pass another user’s number in the recordings request and the API will respond with recording url of the storage bucket without any authentication. It also leaks victim’s entire call history and the numbers on which calls were made.

iPhone - Automatic Call Recorder

Although the bug has been fixed, Parkash writes that such a security lapse can be very dangerous for the users and damaging for the developer.

Security issues like this are catastrophic in nature. Along with impacting customer’s privacy, these also dents the company’s image and provides added advantage to the competitors.

The update of Automatic Call Recorder is now available on the App Store, it is compatible with iPhone and iPad and requires iOS 10.0 or later.

Read More:

About the Author

Addicted to social media and in love with iPhone, started blogging as a hobby. And now it's my passion for every day is a new learning experience. Hopefully, manufacturers will continue to use innovative solutions and we will keep on letting you know about them.

Leave a Reply

Your email address will not be published.