A flaw in the application of iOS call filter from Verizon
April 05, 2025
A flaw now paralyzed in the IOS call filter application of Verizon has exhibited call recordings of millions. No abuse found. Only telephone numbers and horodatages were at risk.
A vulnerability now set in the Verizon iOS call filter application could have been used to collect call recordings of millions of Americans.
Verizon call filter application allows users to identify and manage unwanted calls, such as spam and robocals. It offers features such as spam detection, automatic blocking of high -risk spam calls and the possibility of reporting unwanted numbers. The application is available for iOS devices and can be downloaded from the App Store.
Researchers Evan Connelly reported the fault to Verizon on February 22, 2025, vulnerability was sent in mid-March.
“Imagine if someone could hit a phone number from the largest American cell operator and instantly recover a list of recent recent calls – with horodatages – without compromising the device, guess a password or alert the user.” warned The expert. “Now imagine that this issue belongs to a journalist, a police officer, a politician or someone who was fleeing an attacker.”
Connelly analyzed traffic from the application and the server and found that the Verizon application required the call data to a server using a telephone number and a time range. The process lacks property verification, potentially allowing malicious actors to obtain incoming calls for any number by making a request using the target phone number.
Vulnerability of Verizon Call Filter applications /clr/callLogRetrieval Termination point, although authentication was applied via JWT tokens, the server did not check that the header phone number was the user of the token (sub). As a result, attackers could recover call stories for arbitrary numbers. The problem has probably affected most Verizon wireless users, as the service is often activated by default.
Connelly explained that an attacker can recover horodatages associated with incoming calls, exploiting this vulnerability. The call for metadata can allow real -time monitoring if it is poorly used. With access to call history, attackers can map routines, contacts and movements, risking the security of denunciators, journalists, dissidents and others. Repeated numbers can reveal private lines or burners. Although it could seem minor, it was not only a data leak, it was a powerful tool that could be used for the monitoring and profiling of individuals.
The researcher discovered that the API of the Verizon call filter application is hosted on an area (“Cequintvzwecid.com”) recorded via Godaddy, which is unusual for a large company. The domain name suggests that it is linked to CEQUENT, a telecommunications technology company specializing in the caller identifier, which probably operates the backend. Since Cequint’s own website is decreasing, concerns arise on the amount of user data that this less known company holds – and how it is managed in complete safety.
You will find below the chronology of this vulnerability:
- 02/22/2025 – discovered the problem and reported to Verizon
- 02/24/2025 – Thanks to Verizon for my report
- 03/23/2025 – I asked for an update because it seemed to me to be corrected
- 03/25/2025 – Verizon confirmation This problem is solved
Connelly credited Verizon for a quick response and a fix. The carrier declares that the defect was not used and only affected iOS devices.
“Although there is no indication that the flaw was exploited, the problem has been resolved and had no impact on iOS devices. Verizon appreciates the disclosure responsible for the researcher’s conclusion and takes security very seriously,” said Verizon in a statement.
Recently, the media reported that a cyber-espionage group linked to China targets several telecommunications companies showing that appeal data can be precious to threaten the actors.
Follow me on Twitter: @Securityaffairs And Facebook And Mastodon
(Safety – Piracy, Verizon)
