Published on: 2025-04-05

Intelligence Report: A flaw in Verizons iOS Call Filter app exposed call records of millions – Securityaffairs.com

1. BLUF (Bottom Line Up Front)

A vulnerability in Verizon’s iOS Call Filter app exposed call records of millions of users. The flaw allowed unauthorized access to call metadata, posing significant privacy and security risks. Verizon addressed the issue promptly after it was reported by Evan Connelly. Immediate actions are recommended to prevent similar vulnerabilities and enhance data protection measures.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

The vulnerability in the Verizon iOS Call Filter app was identified in February and addressed by mid-March. The flaw allowed attackers to retrieve call records by exploiting the app’s server request process, which lacked proper ownership verification. This could lead to unauthorized access to sensitive information, including call timestamps and contact details, without the user’s knowledge.

The flaw was linked to the app’s clr_calllogretrieval endpoint, where authentication mechanisms failed to verify that the phone number header matched the user’s token. This oversight potentially enabled malicious actors to conduct real-time surveillance and track individuals’ movements and communications.

3. Implications and Strategic Risks

The exposure of call records poses significant risks to privacy and security, particularly for individuals in sensitive positions such as journalists, law enforcement, and political figures. The ability to map contact routines and movements could lead to targeted surveillance and exploitation by threat actors. This incident underscores the importance of robust cybersecurity measures in protecting user data and maintaining trust in telecommunications services.

4. Recommendations and Outlook

Recommendations:

• Enhance authentication protocols to ensure proper verification of user identities and prevent unauthorized access.
• Conduct regular security audits and penetration testing to identify and address vulnerabilities promptly.
• Implement user education programs to raise awareness about potential security threats and protective measures.

Outlook:

In the best-case scenario, Verizon’s swift response and improved security measures will restore user confidence and prevent future breaches. In the worst-case scenario, continued vulnerabilities could lead to further data breaches, legal repercussions, and reputational damage. The most likely outcome involves increased scrutiny and regulatory pressure on telecommunications providers to enhance data protection practices.

5. Key Individuals and Entities

The report mentions Evan Connelly as the researcher who discovered the vulnerability. The domain hosting the app’s API is linked to Cequint, a telecom tech firm potentially involved in the app’s backend operations. The involvement of Verizon is central to the incident, as the flaw affected its iOS Call Filter app.