Apple releases new security patch to address call recording vulnerability

A lot has been said about Apple’s recent focus on safeguarding their user’s privacy. The company has rightly been lauded due to its attempts to give users more control over their personal information.

However, a recent security flaw in a third party app served as a timely reminder of how hard it is to preserve your online safety when using third-party apps.

Apple security flaw

Call Recorder app

The recently discovered flaw was found in the popular app named Call Recorder which reportedly has been downloaded over a million times.

Call recorder apps are increasingly popular as users often need to keep track of business meetings and calls to review later. This has become even more important over the last year as more and more work is done away from traditional office settings.

Apps like these have remained popular as iOS has for the longest time resisted including call recording as a native feature.

Access to recorded calls

The security flaw in question would have given anyone access to a users’ recorded calls stored in the cloud using just their phone number. The exploit was discovered by Anand Prakash.

Prakash is a security research and the founder of Pingsafe AI. It’s not uncommon for security researchers to undertake “ethical hacks”. These hacks help to expose potential security risks before they cause major harm in the wild.

The exploit essentially allowed Prakash to manipulate the traffic to and from Call Recorder’s cloud storage using a common penetration testing tool.

Exploit made public

Prakash was then able to change the phone number used to another number and easily access that users recordings stored on the cloud. Prakash writes:

“The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data”.

Prakash responsibly informed the app developers of the exploit and a secure version was pushed to users over the weekend before the details of the exploit were made public.

130 000+ recordings stored in Apple app

According to TechCrunch at the time that the updated version was pushed to users, some 300 GB of call data amounting to more than 130 000 recordings were stored in the cloud by the app.

These kinds of vulnerabilities are unlikely to ever be completely eradicated despite the quality control both Apple and Google put in before allowing apps into their stores.

With this in mind it’s probably worth being extra careful when selecting a third party app that will have access to any of your sensitive data.

Now read: WhatsApp vulnerabilities for iOS uncovered, CERT-In reports



No comments:

ads
Powered by Blogger.