Critical Vulnerability in Verizon’s iOS Call Filter App Exposed Millions of Call Records
Private Calls Made Public: Inside Verizon’s API Security Failure – Digital Eavesdropping Made Easy
Critical Vulnerability in Verizon’s iOS Call Filter App Exposed Millions of Call Records
A serious security flaw in Verizon’s iOS Call Filter app was recently discovered that could have potentially exposed the call records of millions of Americans. This vulnerability, which has now been patched, allowed attackers to access incoming call logs complete with timestamps without any authentication barriers. In this blog post, we’ll dive into the details of this security issue, its implications, and what you can do to protect yourself.
The Vulnerability Explained
Verizon’s Call Filter app is designed to help users identify and manage unwanted calls such as spam and robocalls. It offers features like spam detection, automatic blocking of high-risk spam calls, and the ability to report unwanted numbers.
The vulnerability was discovered and reported by researcher Evan Connelly on February 22, 2025. After analyzing the traffic between the app and the server, Connelly found that Verizon’s app requested call data from a server using just a phone number and time range parameter. The critical flaw was that this process lacked proper ownership verification.
As Connelly warned: “Imagine if anyone could punch in a phone number from the largest U.S. cell carrier and instantly retrieve a list of its recent incoming calls—complete with timestamps—without compromising the device, guessing a password, or alerting the user.”
The technical issue was specifically located in the “/clr/callLogRetrieval” endpoint of the Call Filter app. Although authentication was enforced via JWT tokens, the server failed to verify that the phone number in the header matched the token’s user ID. This oversight meant that attackers could retrieve call histories for any arbitrary number by crafting a specific request.
Scope and Impact
The vulnerability likely affected most Verizon Wireless users, as the Call Filter service is often enabled by default on iOS devices.
While the exposed data might seem limited to timestamps and phone numbers of incoming calls, the security implications are significant. Call metadata can be used for real-time surveillance if misused. With access to call history, attackers could potentially map routines, contacts, and even movements, putting at risk the safety of journalists, whistleblowers, dissidents, and others who require privacy.
The researcher also discovered that the API for Verizon’s Call Filter app is hosted on a domain registered via GoDaddy (“CEQUINTVZWECID.com”), which is unusual for a major telecommunications company. The domain name suggests it’s linked to Cequint, a telecom tech firm specializing in caller ID, which likely operates the backend.
Timeline and Resolution
The vulnerability was handled according to the following timeline:
- February 22, 2025: Evan Connelly discovered the issue and reported it to Verizon
- February 24, 2025: Verizon acknowledged receipt of the report
- March 23, 2025: Connelly requested an update as the issue appeared to be fixed
- March 25, 2025: Verizon confirmed that the issue had been resolved
Verizon issued a statement saying, “While there was no indication that the flaw was exploited, the issue was resolved and only impacted iOS devices. Verizon appreciates the responsible disclosure of the finding by the researcher and takes the security very seriously.”
Mitigation Steps
If you’re a Verizon customer using the iOS Call Filter app, here are some steps to protect yourself:
- Update your Call Filter app to the latest version immediately
- Monitor your Verizon account for any suspicious activity
- Consider enabling additional security features like two-factor authentication on your Verizon account
- Review which apps have access to your call logs and revoke unnecessary permissions
How CinchOps Can Help Secure Your Mobile Devices
In today’s environment where mobile security vulnerabilities are constantly being discovered, organizations need comprehensive mobile device management solutions. CinchOps provides:
- Real-time vulnerability scanning for all mobile applications
- Automated security updates and patch management
- Enterprise-wide mobile security policy enforcement
- Detailed security reporting and compliance monitoring
- Ongoing threat intelligence specific to mobile platforms
Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.
Our proactive approach helps identify potential security issues before they can be exploited. CinchOps continually monitors for new vulnerabilities like the one discovered in Verizon’s Call Filter app, ensuring your organization’s mobile infrastructure remains protected.
The vulnerability in Verizon’s iOS Call Filter app highlights the importance of proper API security and authentication validation in mobile applications. While Verizon responded quickly to patch the issue, it serves as a reminder of how seemingly minor oversights in security implementation can have potentially serious privacy implications for millions of users.
For additional insights into how CinchOps secures your mobile devices, read our blog posts “Mobile Device Management: Securing Houston Businesses With CinchOps” and “Mobile Device Management: Securing and Optimizing Your Business Devices”.
For more information about how CinchOps can help secure your organization’s mobile devices, contact our security team today.
FREE MOBILE DEVICE MANAGEMENT ASSESSMENT
