A security flaw in Verizon’s Call Filter app could’ve allowed threat actors to access details of incoming calls for another user, a security researcher has found.
Discovered by cybersecurity researcher Evan Connelly in February, the API flaw has since been patched by the telecoms giant. However, in a blog post detailing the vulnerability, Connelly warned exploitation of the flaw could have had profound implications for users.
“I recently identified a security vulnerability in the Verizon Call Filter iOS app which made it possible for an attacker to leak call history logs of Verizon Wireless customers,” Connelly wrote.
“Given that this data is of such value, you’d expect that both how it’s accessed, and who is given access would be closely guarded. However, as I found, this may not be the case.”
Call Filter is available on Android and iOS, and comes in both a free-to-use and premium option. The app flags potential spam calls for users, allows for automatic blocking of suspicious numbers, and is used on millions of devices.
Examination of the iOS version showed the app connects to an API endpoint to source incoming call histories for users in the event of a call, then display this in the app.
A technical rundown of the flaw showed the app uses the endpoint https://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval to look up these call histories.
This particular endpoint requires a JWT (JSON Web Token) in the authentication header using the Bearer scheme, Connelly noted, and uses an X-Ceq-MDN header to specify a specific cell phone number to source call history logs.
“A JWT has three parts: header, payload, and signature. It’s often used for authentication and authorization in web apps,” he explained.
In short, this process should’ve included comparison of the phone number in a specific request with the user identified in the JWT. That way, this ensures a particular user requesting information has access to it.
“However, the /clr/callLogRetrieval endpoint was not validating that the phone number specified in the X-Ceq-MDN header matches the sub in the JWT payload, meaning it was possible to lookup call history logs for any phone number within the application by passing the desired phone number in the value of that header,” Connelly said.
Verizon flaw could’ve had wide-reaching implications
Connelly noted that while this is a privacy concern for all users, there are wider safety and national security considerations at play.
“Call logs can be quite valuable, especially for nation states, as recently noted in coverage of the Salt Typhoon breach of telecom networks,” he added.
In December last year, a senior White House security official confirmed the state-affiliated Salt Typhoon group was able to record telephone conversations of “very senior” US political figures.
The campaign compromised networks of major telecommunications companies, including AT&T, Verizon, and Lumen Technologies.
Connelly warned that call metadata “might seem harmless”, but in the hands of malicious actors – be they cyber criminals or even domestic abusers – it has the potential to become a “powerful surveillance tool”.
“With unrestricted access to another user’s call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships,” he wrote.
“Timestamps can be cross-referenced with social media or public sightings to map physical movements. Repeated numbers expose private or burner lines, compromising whistleblowers, journalists, or abuse survivors.”
Eric Schwake, director of cybersecurity strategy at Salt Security, said the vulnerability highlights the “urgent need for strong API security practices”.
“This event reflects a significant API design and implementation shortcoming, particularly regarding authentication, authorization, and input validation.”
“The issue was probably caused by misconfigurations, such as weak authorization, improper input validation, or lack of access controls, which enabled unauthorized users to access data outside their permitted scope.”
Verizon has since patched the flaw, with a spokesperson for the telecoms firm confirming that a fix was issued in mid-March.
“Verizon was made aware of this vulnerability and worked with the third-party app owner on a fix and patch that was pushed in mid-March,” the spokesperson said.
“While there was no indication that the flaw was exploited, the issue was resolved and only impacted iOS devices. Verizon appreciates the responsible disclosure of the finding by the researcher and takes the security very seriously.”
