Millions of people across the U.S. could have had their call records exposed and stolen with the exploitation of a now-fixed vulnerability impacting the Verizon Call Filter app that enables spam call identification and blocking for iOS users, according to SecurityWeek.
Such a flaw, which stems from an endpoint's failure to verify the phone number in the request sent by the app as belonging to the user, could have been leveraged by threat actors to deliver an arbitrary phone number to secure targeted users' incoming call numbers, said cybersecurity researcher Evan Connelly. "Call metadata might seem harmless, but in the wrong hands, it becomes a powerful surveillance tool. With unrestricted access to another user's call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships," said Connelly, who also emphasized the potential risk particularly for journalists, whistleblowers, and survivors of abuse. Meanwhile, Verizon noted that there have been no attacks abusing the security issue.
