A vulnerability in the Call Recorder application for recording calls allowed anyone to gain access to thousands of iPhone users’ phone recordings. The problem was discovered by Anand Prakash, a security researcher and founder of PingSafe AI. All you need to do is know the phone number of another user.
Anand Prakash used the open source Burp Suite platform to perform web application security tests. With its help, he could view and modify traffic going in both directions. Simply put, he could change his phone number registered in the application to the phone number of another user and gain access to his conversation records.
This vulnerability was confirmed by the journalists of TechCrunch, who checked Prakash’s scheme. The Call Recorder iOS app stores recordings of its users’ conversations in cloud storage on Amazon Web Services. Although the file list was publicly accessible, the audio recordings could not be opened or downloaded. At the time of this writing, more than 130 thousand records of telephone conversations with a total volume of about 300 GB were stored in the cloud.
TechCrunch contacted the app developer and did not release the story until the issue was fixed. In a note for the new version of Call Recorder, it is said that the application update contains a “security report fix”.