A recently patched flaw in Verizon’s iOS Call Filter app has been revealed to have potentially exposed the call records of millions of users. The vulnerability, reported by researcher Evan Connelly, allowed for the harvesting of call data, including phone numbers and timestamps, without compromising the device or alerting the user.
Verizon’s Call Filter app, designed to help users manage and identify unwanted calls such as spam and robocalls, was found to have a vulnerability in its call log retrieval endpoint. This flaw, which was reported to Verizon on February 22, 2025, and subsequently addressed in mid-March, could have allowed malicious actors to obtain call records for any number by exploiting a lack of ownership verification in the server’s process.
Connelly’s investigation revealed that the app’s API was hosted on a domain registered via GoDaddy, suggesting a link to Cequint, a telecom tech firm specializing in caller ID. The implications of this vulnerability were significant, as attackers could potentially access call histories for any number, risking the safety and privacy of individuals such as journalists, police officers, and politicians.
The timeline of events surrounding the discovery and resolution of this vulnerability highlights the quick response and fix implemented by Verizon. Despite the potential for abuse, there was no indication that the flaw was exploited, and the impact was limited to iOS devices. Verizon emphasized the importance of responsible disclosure and stated that they take security seriously.
The incident serves as a reminder of the value of call data to threat actors, as evidenced by recent reports of a China-linked cyber espionage group targeting telecom companies. The exposure of call records underscores the need for robust security measures to protect sensitive user data from unauthorized access and misuse.
Overall, the prompt identification and resolution of this vulnerability by Verizon, coupled with the responsible disclosure by the researcher, demonstrate the importance of proactive security practices in safeguarding user information in an increasingly digital world. As technology continues to evolve, addressing vulnerabilities and mitigating risks will be essential to maintaining trust and protecting user privacy in the digital age.