Whether it is for legal proceedings or an important meeting, recording a phone call is a great way to keep a copy of conversations. It’s for record-keeping purposes, but the conversations are not meant for other people in most cases.
If you’re ever doing business over the phone, recording calls is one way to settle disputes that may arise later. It’s just one way to protect yourself and your business. Tap or click here for the seven essential online security steps you can’t skip.
You’ll most likely need an app to complete the recording process. Unfortunately, as with many apps, they could come with security flaws that bad actors can take advantage of. That just happened with a popular call recording app and it exposed thousands of conversations.
Here’s the flaw’s backstory
Let’s begin with the legal aspects. If you use an app to record a phone call, you must familiarize yourself with local laws. Most states allow for recording if at least one of the parties involved gives consent. This is the “one-party consent” law, but there are several states where all parties in a call need to consent for it to be legal.
States like California, Florida, Pennsylvania, and Washington have a “two-party consent” law. For a recording to be legal in those states, all parties to the communication need to consent.
Now that that’s out of the way, a critical flaw in the popular iOS app Acr Call Recorder was recently found. Anand Prakash from PingSafe AI disclosed the vulnerability. The bug allowed anyone with very little technical know-how to listen to over 130,000 recordings.
With more than a million downloads, all user data is stored on cloud servers. Researchers used PingSafe AI’s threat and open-source intelligence software to make the flaw’s discovery. It breached the app’s security to access hostnames and other sensitive details used.
“The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data,” PingSafe AI wrote in a blog post.
Detailing the steps taken to reproduce the flaw, researchers explained that all a hacker had to do was intercept the app’s traffic. Once captured, the hacker would replace the query string with the victim’s phone number.
That allowed them to access the specific cloud storage bucket where that number’s recordings are held. It also exposed user’s entire call history and the numbers associated with them.
What you can do now
The situation might seem dire, but fortunately, the app has been updated with a fix already. After initially struggling to notify the app’s developers in late February, Prakash and his team made contact through the responsible disclosure program.
If you use the Acr call recorder app on your iPhone, open Apple’s App Store and make sure it’s been updated with the most recent release. If there is an update available, install it ASAP.
Earlier this month, social media site Gab also suffered a massive breach. Criminals made off with 70 gigabytes of user data, profile information, private messages, and passwords.