A serious vulnerability was discovered in Verizon’s Call Filter app for iOS, which allowed unauthorized access to customer call logs. This flaw posed significant privacy risks, enabling individuals with technical knowledge to retrieve incoming call data for any Verizon phone number. The issue lay in the app’s interaction with Verizon’s servers, where it failed to validate the phone number in the request against the signed-in user’s number. By manipulating the request header, an attacker could access call logs of any Verizon customer, exposing sensitive information.
The vulnerability impacted Verizon’s extensive customer base, as the Call Filter app was believed to be pre-installed and enabled by default on many devices. It allowed unauthorized access to not just call logs but also timestamps and durations, which could reveal personal routines and confidential contacts. This breach posed serious risks for high-risk individuals like journalists, law enforcement officers, and domestic abuse survivors, whose safety could be compromised if their call histories were exposed.
The discovery underscored the need for better security measures to protect user privacy.
The breach involved a vulnerable API endpoint hosted by Cequint, a telecom technology company. This raised concerns about the security of customer data, especially when managed by third-party contractors like Cequint. The flaw was discovered by researcher Evan Connelly on February 22, 2025, and Verizon reportedly fixed the issue the following month. While the exposure period remains unclear, the flaw was present in both the iOS and likely the Android version of the app, affecting millions of Verizon users.
Verizon’s response was prompt, but the situation highlighted concerns about poor security practices regarding call data.
The vulnerable API endpoint had no apparent rate-limiting or security features that could prevent mass scraping of millions of subscribers’ data. The use of third-party servers for handling sensitive customer data raised additional questions about Verizon’s approach to securing personal information. This breach serves as a reminder of the risks posed by security lapses in widely used mobile services.
