A major security flaw discovered in Verizon's Call Filter app potentially exposed millions of customers' call records to unauthorized access, according to a recent report by security researcher Evan Connelly.
The vulnerability in the spam-blocking app, which comes pre-installed on many Verizon devices, allowed hackers to access detailed incoming call logs for any Verizon number through the app's back-end server without authorization.
"This wasn't just a data leak, but a real-time surveillance mechanism waiting to be abused," Connelly warned in his findings. By simply entering any Verizon phone number into the server, unauthorized users could retrieve timestamps and records of recent incoming calls.
The security researcher noted that while call data may appear harmless, it could enable malicious actors to "reconstruct daily routines, identify frequent contacts, and infer personal relationships." This poses particular risks for vulnerable individuals like domestic abuse survivors, law enforcement officers, and public figures who depend on communication privacy.
The technical flaw stemmed from the app's failure to validate whether users requesting call records were authorized to access that specific phone number's data. While Verizon confirmed the vulnerability only impacted iOS devices, Connelly estimated it affected "either nearly all, or all customers" using the Call Filter service.
After Connelly reported the issue on February 22, Verizon worked with their third-party app developer to implement a fix by March 25. The company stated they found no evidence the vulnerability was exploited during this period.
In response to the incident, a Verizon spokesperson emphasized that the company "takes security very seriously and appreciates the responsible disclosure of the finding by the researcher."
This security incident highlights ongoing concerns about data privacy and protection in widely-used telecommunications applications. While the immediate vulnerability has been patched, the case demonstrates how pre-installed apps can potentially compromise user privacy when security measures fail.