- The neon application offered cash for recordings of its phone calls
- These were sold to AI companies to train their algorithms.
- It has been disconnected after a great security failure exposed to user recordings
How do you like the sound of an application that records your phone calls and sells all those private conversations to artificial intelligence (AI) companies? Of course, it is possible that they pay him a bit in return, but is it worth the enormous risk of privacy?
Well, it turns out that the answer is a resounding ‘no’ because the viral application in question, called mobile neon, has been disconnected after it was revealed that anyone could access the phone numbers, transcripts and recordings of real telephone calls of any other service user. Worst of all, data violation could be done with the most trivial of the tools and the greatest effort effort, which suggests that application security measures were unfortunately inappropriate.
Vulnerability was discovered and informed by Techcrunch. The media explained that he created a new account to prove the neon functionality, then began using a network analysis tool called Burp Suite to match the application network traffic. While Neon showed Techcrunch reporters a list of their calls and how much money each earned, Burp Suite revealed much more information.
That included text transcripts of each call and web links to the recordings. Apparently, this information could be accessed by anyone with the right link, which means that it was essentially open to all and diverse.
But the informed vulnerability was not only limited to its own hidden data, it could apparently do so for any other user. Techcrunch discovered that Neon servers could produce a list of the most recent calls made by all its users, as well as publicly available links to the corresponding recordings and transcripts.
The metadata of each call could also be accessed, including phone numbers, the date and duration of the call, and more. In other words, it was a free for all of recordings and private conversations.
A privacy disaster
Techcrunch warned Alex Kiam, founder of Neon, about the defect. Kiam “temporarily” eliminated the application and sent an email to neon users. However, Kiam’s mass message did not mention the security defect or the fact that user calls were available to be downloaded by anyone with the richest level of technical knowledge. Instead, he simply declared that the developer was “taking the application to add additional security layers.”
Even before this safety violation was revealed, the concept of neon was questionable. In a nutshell, the application was a potential privacy nightmare. There was no guarantee of molten iron that their registered calls would be used safely or maintained in anonymity, while feeding them in an algorithm of Black Box AI could have all kinds of unexpected consequences and potential data risks.
As TechCrunch has demonstrated, metadata (including phone numbers) were attached to call recordings, which means that it would be trivial to personally identify the people they call and the private affairs they were discussing.
In addition, the neon apparently did not alert any participant of the call that his words were being registered, raising the question of whether someone was asking permission for this.
Such a system could also be ready for abuse, something that Techcrunch apparently confirmed. The departure said he discovered long calls that seemed to “cover up the real world conversations with other people to generate money through the application.” It is doubtful that those who were registered secretly knew that this was the case, opening another can of worms.
There is no indication of when, or yes, the neon will be online again, but it is likely that Apple and Google are interested in procedures. It remains to see if it will allow you to return to your application stores, but it does not seem to align very well with the messages in favor of privacy that both companies like to boost.
