- The security researcher finds errors in an API used in a Verizon mobile application
- The error allowed the threat actors to see other people’s call records.
- It was found in February 2025 and set in March, but users must still be careful
An error in a Verizon API allowed malicious actors to see the records of incoming calls of other people until it was solved.
Cybersecurity researcher Evan Connelly found the error in the call filter, a free Verizon application is sent with all iOS and Android devices sold directly through the telecommunda to help users block spam calls, identify unknown numbers and avoid robocalls.
Given the large subscriber base of Verizon, the application probably has millions of users, since it offers characteristics such as spam detection, call identification, personal block lists and automatic blocking of high -risk calls. The call filter also has a premium version that adds spam search, custom controls and calls of calls for unknown numbers.
Aimed at journalists
As Connelly explained, the application connects to an end point of the API where the record of incoming calls of the registered user recovers, and then shows it in the application. However, due to an erroneous configuration in the API, the user’s phone number is not verified, which means that any user could request the data for any other person.
Connelly tried the version of iOS, but states that the problem is the agnostic of the platform, since the error resides in the API, instead of the application itself.
Seeing someone’s call record may not seem much at the beginning, but Connelly warns that it could be a “powerful surveillance tool”, especially against high profile objectives such as journalists, government opponents, dissidents and the like.
“Call metadata may seem harmless, but in the wrong hands, it becomes a powerful surveillance tool. With access without restrictions on the history of calls from another user, an attacker could rebuild daily routines, identify frequent contacts and infer personal relationships,” said Connelly.
Verizon approached the defect at some point in March 2025, but we don’t know how long this information was exposed, so users must still be more careful.
Through Bleepingcomputer
