Whistleblowers, journalists, abuse survivors, politicians, celebrities, and other Verizon Call Filter iOS app users have been unknowingly at risk. Ethical hacker Evan Connelly discovered a critical flaw exposing incoming call history.
“Punch in a phone number from the largest US cell carrier and instantly retrieve a list of its recent incoming calls.”
The Verizon Call Filter app, which automatically blocks spam, filters unwanted callers, including robocalls, and identifies unknown texters, also allegedly exposed all of its users’ call records.
Anyone could look up calls and timestamps for millions of app users.
Connelly discovered that the app’s server didn’t properly validate the requests for call records. An attacker can craft a simple request, and the server responds with a list of calls and timestamps – to anyone who requests it.
“It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed-in user,” the researcher said in a blog post.
“Now imagine that number belongs to a journalist, a police officer, a politician, or someone fleeing an abuser.”
The researcher believes this flaw represents privacy and safety concerns and could even be abused as a real-time surveillance mechanism.
“With unrestricted access to another user’s call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships.”
The researcher estimates that millions of Americans using the app were exposed.
“Verizon was made aware of this vulnerability and worked with the third-party app owner on a fix and patch that was pushed in mid-March. While there was no indication that the flaw was exploited, the issue was resolved and only impacted iOS devices. Verizon appreciates the responsible disclosure of the finding by the researcher and takes the security very seriously,” Verizon said in a comment to Cybernews.
How did the hack work?
An unauthorized attacker would send a request to a server to get call history for a specified time period.
The hacker would need to craft a request that includes a JSON Web Token (JWT) for authentication. However, the server doesn’t check if the phone number in the request matches the user’s phone number in the token. The attacker can set any number in the request and access the call history.
“The issue I discovered impacted at least those who have the Verizon Call Filter service enabled (I did not test a number which had it disabled; I can’t rule out whether or not all Verizon numbers could have been impacted),” the researcher explained.
Connelly also noted that the validations “seem” to work properly on other endpoints for additional app functionality.
Unprotected server belongs to third party
Another concerning insight is that the service itself is run by an unknown third-party company and not Verizon.
When the Verizon Call Filter app needs to display call history for users, it retrieves the records from the cequintvzwecid.com domain, registered at GoDaddy, “which is a bit unusual for a large company” like Verizon.
Cequint likely represents a company name, while the rest of the domain is the same as the app package name for Android – com.vzw.ecid. The researcher found on crunchbase.com that Cequint is a firm that “provides technology that enables wireless carriers to offer caller ID services in North America.” Its listed website was down.
It raises additional questions about why the user data would be stored and leaked from the server owned by a third-party company.
“How much data does this obscure company without a website of their own have? And how well secured is it?”
Connelly disclosed the discovered issue responsibly, and Verizon quickly acknowledged it and fixed it.
Updated on April 4th [06:20 a.m. GMT] with a statement from Verizon.
Your email address will not be published. Required fields are markedmarked