Researchers found a security vulnerability in the iOS call recording app “Automatic call recorder” that gave access to the conversations of thousands of app users. According to Anand Prakash, security researcher and founder of PingSafe AI, who discovered the flaw, the vulnerable app used open-source intelligence and exposed hostnames and other sensitive data from its cloud storage.
With more than a million downloads from the App Store, the Automatic call recorder app is a popular mobile application used by iPhone users to record their calls. The app developer fixed the vulnerability and released a new version after the researcher notified the issue.
Prakash stated that he discovered the vulnerability while performing open-source intelligence across mobile applications in various categories. The flaw has been leaking the cloud storage URL of the victim’s data to an unauthenticated API endpoint. It allowed attackers to listen to any user’s call recording from the cloud storage bucket used by the application.
Reproducing the Vulnerability
- Install the “Automatic Call Recorder” application on your phone.
- Intercept application’s traffic in Burp Suite/Zap Proxy.
- You will observe a POST API request to 88.123.157:80/fetch-sinch-recordings.phpchange UserID to victim’s phone number with country code.
- The response will have an s3 URL for the recording and other sensitive details.
“Security issues like this are catastrophic in nature. Along with impacting customer’s privacy, this also dents the company’s image and provides added advantage to the competitors. PingSafe AI uses the state-of-the-art intelligent risk evaluation engine to monitors the security health of a company comprehensively by assessing all domains, IPs, mobile applications, source codes, and leaked credentials,” Prakash said.