A security flaw in an app called "Call Recorder" exposed thousands of customer conversations, reports TechCrunch. The vulnerability was found by PingSafe AI researcher Anand Prakesh, and has since been patched.
The Call Recorder app is designed to allow iPhone users to record their incoming and outgoing phone calls, with those recordings stored in the cloud on Amazon Web Services.
Using a proxy tool like Burp Suite, Prakash was able to view and modify network traffic going in and out of the app, and when replacing his phone number with the phone number of another Call Recorder user, their recordings became available on his phone.
There were more than 130,000 audio recordings available, though the files could not be accessed or downloaded outside of the app. TechCrunch informed the developer about the security flaw and it was fixed in an update on Saturday.
A recent report from mobile security firm Zimperium suggested that thousands of iOS apps that use public cloud services like Amazon Web Services, Google Cloud, and Microsoft Azure have improper setups that risk exposing user data.
6,608 iOS apps were found to be exposing users' personal information, passwords, and medical information. Zimperium CEO Shridhar Mittal said that cloud storage misconfigurations are a "disturbing trend."
"A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now," he said.
No apps were named in the report because of the vulnerabilities involved, but some were major apps including a mobile wallet from a Fortune 500 company and a transportation app from a large city.
