A serious security bug existed in the popular iPhone app Automatic Call Recorder. Exploiting the bug could easily allow an attacker to hijack users’ accounts and access their call recordings. The app developers, however, have deployed a fix before the bug could go under attack.
iPhone Call Recorder App Bug
Security researcher and PingSafe AI founder, Anand Prakash, found a serious vulnerability in a popular iPhone app. Identified as “Automatic Call Recorder”, the iPhone app bug could let an adversary spying on users’ call recordings.
As elaborated in a post, the bug basically existed in the “/fetch-sinch-recordings.php” API endpoint of the app. This bug caught the attention during an analysis when the researcher decompiled the IPA file and deciphered important details of the app, including its S3 buckets and hostnames.
He then observed that anyone could access a target user’s call recordings merely by the victim’s phone number.
An attacker can pass another user’s number in the recordings request and the API will respond with recording url of the storage bucket without any authentication. It also leaks victim’s entire call history and the numbers on which calls were made.
Fix Deployed
Together with TechCrunch, the researcher strived for responsible disclosure of the bug to the developers as they had no specific vulnerability disclosure program.
Consequently, the app developers worked on a fix and deployed the app version 2.26 on the App Store with the patch.
Hence, since the bug has received the fix, all app users must ensure updating their iPhones with the latest version.
Automatic call recorder is a famous app among iPhone users. It’s a free app that facilitates users in recording conversations in a hassle-free manner. Currently, the app boasts 12th rank on the App Store in the Business category.
Let us know your thoughts in the comments.