Security researcher and founder of PingSafe AI, Anand Prakash, discovered a flaw in the popular iPhone app “Automatic Call Recorder.” This bug allowed anyone to access call recordings from other users by knowing their phone number.
As reported by TechCrunch, this security vulnerability exposed thousands of users’ recorded conversations. With a proxy tool such as Burp Suite, Prakash could view and modify the network traffic going in and out of the app.
That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recording on his phone.
TechCrunch said it could verify Prakash’s finding and waited until the developer fixed the bug before releasing its story.
The app stores its user’s call recordings on a cloud storage bucket hosted on Amazon Web Services. Although the public was open and lists the files inside, the files could not be accessed or downloaded. The bucket was closed by press time.
On March 6, the developer of the “Automatic Call Recorder” app released a security update, but before it was fixed, more than 130,000 audio recordings were accessible by anyone, the report explains. The app has more than 1 million downloads on the App Store, according to its page. The developer touts that the app “may be the easiest-to-use Call Recorder which you can find out on App Store.”
The developer didn’t return several requests for comment by TechCrunch’s team, but again, as of now, the bug has been fixed.