Security Vulnerability in 'Call Recorder' App Exposed User Conversations

[MacRumors]

A security flaw in an app called "Call Recorder" exposed thousands of customer conversations, reports TechCrunch. The vulnerability was found by PingSafe AI researcher Anand Prakesh, and has since been patched.

The Call Recorder app is designed to allow iPhone users to record their incoming and outgoing phone calls, with those recordings stored in the cloud on Amazon Web Services.

Using a proxy tool like Burp Suite, Prakash was able to view and modify network traffic going in and out of the app, and when replacing his phone number with the phone number of another Call Recorder user, their recordings became available on his phone.

There were more than 130,000 audio recordings available, though the files could not be accessed or downloaded outside of the app. TechCrunch informed the developer about the security flaw and it was fixed in an update on Saturday.

A recent report from mobile security firm Zimperium suggested that thousands of iOS apps that use public cloud services like Amazon Web Services, Google Cloud, and Microsoft Azure have improper setups that risk exposing user data.

6,608 iOS apps were found to be exposing users' personal information, passwords, and medical information. Zimperium CEO Shridhar Mittal said that cloud storage misconfigurations are a "disturbing trend."

"A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now," he said.

No apps were named in the report because of the vulnerabilities involved, but some were major apps including a mobile wallet from a Fortune 500 company and a transportation app from a large city.

Article Link: Security Vulnerability in 'Call Recorder' App Exposed User Conversations

 

[iapplelove]

Good stuff

 

[roar08]

"Flaw".

 

[ArPe]

If you think that’s bad you should see Clubhouse.

Actually don’t. This app is being used to brainwash and steal data and conversations in a very bad way.

Today there was a conversation promoted by Clubhouse right on the front homepage and every member was talking about how to destroy the economy and brainwash the public to accept their view economic and philosophical of the world. It was a straight up dooms day cult.

 

[robbysibrahim]

We make a big fuss about big tech but they're worlds ahead of these small app makers in terms of security and privacy. Stop installing every shiny app you see. There are no watchdogs on that one app you just installed.

 

[swingerofbirch]

Anything goes in the walled garden as long as Apple gets its pound of flesh.

Remember when they said it was going to be curated?

You're safer using the open Web, thanks to the protections of Google.

If you use Safari Fraudulent Website Warning (which you probably do by default), that's a Google feature (Apple sends the URLs to Google's servers to check them).

None of this makes Apple look good in its antitrust hearings where they say consumers trust them to have a safe app store and thus can't allow third party app stores or payment services.

 

[Rochy Bay]

A security flaw in an app called "Call Recorder" exposed thousands of customer conversations, reports TechCrunch. The vulnerability was found by PingSafe AI researcher Anand Prakesh, and has since been patched.

The Call Recorder app is designed to allow iPhone users to record their incoming and outgoing phone calls, with those recordings stored in the cloud on Amazon Web Services.

Using a proxy tool like Burp Suite, Prakash was able to view and modify network traffic going in and out of the app, and when replacing his phone number with the phone number of another Call Recorder user, their recordings became available on his phone.

There were more than 130,000 audio recordings available, though the files could not be accessed or downloaded outside of the app. TechCrunch informed the developer about the security flaw and it was fixed in an update on Saturday.

A recent report from mobile security firm Zimperium suggested that thousands of iOS apps that use public cloud services like Amazon Web Services, Google Cloud, and Microsoft Azure have improper setups that risk exposing user data.

6,608 iOS apps were found to be exposing users' personal information, passwords, and medical information. Zimperium CEO Shridhar Mittal said that cloud storage misconfigurations are a "disturbing trend."

"A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now," he said.

No apps were named in the report because of the vulnerabilities involved, but some were major apps including a mobile wallet from a Fortune 500 company and a transportation app from a large city.

Article Link: Security Vulnerability in 'Call Recorder' App Exposed User Conversations

How Apple takes care of your privacy....

 

[rictus007]

I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.

 

[Rigby]

Anything goes in the walled garden as long as Apple gets its pound of flesh.

Remember when they said it was going to be curated?

If you expected Apple to be able to somehow detect every bug or vulnerability in every 3rd party app, you have completely unrealistic expectations.

You're safer using the open Web, thanks to the protections of Google.

Thanks for the laugh.

 

[MichaelMaier]

I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.

Correct me if I’m wrong, but in most US states you only need the consent from one participant of a recorded conversation.

 

[69Mustang]

I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.

The laws in the US vary by state and jurisdiction. Some have 2 party consent, others only require 1 party. You are right that with consent, the recording can be used as evidence in court. I live in a 1 party consent state. Fyi, 37 other states and the District of Columbia are also 1 party consent.

With that knowledge in hand, it's not really that hard to fathom why people record calls.

 

[hot-gril]

Why are the recordings even stored anywhere other than on the device? Guess it's a dumb question, since the next thing wrong with this is that they were trusting the clients instead of actually authenticating requests.

 

[Apple_Robert]

Anything goes in the walled garden as long as Apple gets its pound of flesh.

Remember when they said it was going to be curated?

You're safer using the open Web, thanks to the protections of Google.

If you use Safari Fraudulent Website Warning (which you probably do by default), that's a Google feature (Apple sends the URLs to Google's servers to check them).

None of this makes Apple look good in its antitrust hearings where they say consumers trust them to have a safe app store and thus can't allow third party app stores or payment services.

How is the subject of the article Apple's fault?

 

[swingerofbirch]

If you expected Apple to be able to somehow detect every bug or vulnerability in every 3rd party app, you have completely unrealistic expectations.


Thanks for the laugh.

It's not my expectation.

It's their advertisement.

"The App Store gives people around the world a safe and trusted place to discover apps that meet our high standards for privacy, security, and content."

Their review process has been known for a while to be a bit of a joke.

 

[swingerofbirch]

How is the subject of the article Apple's fault?

It's not their fault. It's just not what they promise.

They say won't allow third party app stores due to security and safety issues.

They have not proven they are responsible enough to curate apps to only offer safe and secure apps.

They can't even police their new nutrition labels, which have already shown to be fake among many companies.

Yet they say:

"The App Store gives people around the world a safe and trusted place to discover apps that meet our high standards for privacy, security, and content."

Who's to say a third party app store couldn't do a better job?

 

[SegNerd]

How dare they spy on you spying on your caller!

(Or, do you seriously think all the people using this in two-party states are getting permission?)

 

[Apple_Robert]

It's not their fault. It's just not what they promise.

They say won't allow third party app stores due to security and safety issues.

They have not proven they are responsible enough to curate apps to only offer safe and secure apps.

They can't even police their new nutrition labels, which have already shown to be fake among many companies.

Yet they say:

"The App Store gives people around the world a safe and trusted place to discover apps that meet our high standards for privacy, security, and content."

Who's to say a third party app store couldn't do a better job?

Having a bug in your app is not the same thing as purposefully creating an app for nefarious reasons. I believe the app on this article falls into the first category.

You are trying to make Apple look bad here by painting a picture of this event that is not contextually actually as to what you quoted about Apple and the App Store.

 

[dk001]

I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.

Sadly not true.
Recently wrapped up a legal issue where party A in a State without dual consent could record and use everything while the other side living in a dual party consent State could not.

Then again it can be fun to put "your call may be recorded for quality purposes..." on your line. The telemarketers hang up fast.

 

[deevey]

I always wonder why people need to record a phone call, since without consent it can’t be used as evidence in a trial and might ilegal in US…… until someone from Instacart’s customer support told me to “get over it” and accept that they spy their customers but is not different from anyone else. I was like….but I’m paying for your to spy on me? And they said yes! …. I wish I have a way to record those calls.

Try calling any customer service dept multiple times. Half the time they deny having a log of the previous complaints or fail to relay the call correctly.

Being able to play the call back to their supervisor - priceless !

 

[gwangung]

Who's to say a third party app store couldn't do a better job?

He. Haha. HAHAHAHAHAHAHAHAHAHHHHH!

Try another one.

 

[hayesk]

Who's to say a third party app store couldn't do a better job?

A third party app store that will entice developers to their store with lower fees than Apple's? How will these third party stores make their money? By collecting and selling your data, and letting as many developers on the store as they can.

And I don't think Epic and their ilk are complaining because they care about the 30/15% fee. It's about access to customer information.

 

[eyez73]

It would be handy to record the odd business call, are there any other apps people would recommend?

 

[coolfactor]

How Apple takes care of your privacy....

This has nothing to do with Apple. What are you saying?

This is a third-party app that was poorly and carelessly designed.

 

[deevey]

It's not their fault. It's just not what they promise.

They say won't allow third party app stores due to security and safety issues.

They have not proven they are responsible enough to curate apps to only offer safe and secure apps.

They can't even police their new nutrition labels, which have already shown to be fake among many companies.

Yet they say:

"The App Store gives people around the world a safe and trusted place to discover apps that meet our high standards for privacy, security, and content."

Who's to say a third party app store couldn't do a better job?

Would you prefer that they deny apps hosting any data on a third party storage solutions altogether and have the developer pay cloud storage fees with using only Apples cloud servers ?

The developer failed to secure their cloud storage in such a way that an unauthorized user could access the data with relative ease.

 

[hot-gril]

How Apple takes care of your privacy....

I would be surprised and annoyed if Apple didn't ban the developer for this. It's not just any vulnerability, it's an especially stupid one that exposes how incompetent and careless the devs are.