Verizon security flaw could allow hackers to view entire call history

2 weeks ago 25

(Image credit: Shutterstock)

Security researcher finds bug in an API used in a Verizon mobile app
The bug allowed threat actors to view other people's call logs
It was found in February 2025 and fixed in March, but users should still take care

A bug in a Verizon API allowed malicious actors to view other people’s incoming call logs until it was fixed.

Cybersecurity researcher Evan Connelly found the bug in Call Filter, a free app Verizon ships with all iOS and Android devices sold directly through the telco to help users block spam calls, identify unknown numbers, and avoid robocalls.

Given Verizon’s large subscriber base, the app likely has millions of users, as it offers features like spam detection, caller ID, personal block lists, and automatic blocking of high-risk calls. Call Filter also has a premium version which adds spam lookup, custom controls, and caller ID for unknown numbers.

Targeting journalists

As Connelly explained, the app connects to an API endpoint where it retrieves the logged-in user’s incoming call history, and then displays it in the app. However, due to a misconfiguration in the API, the user’s phone number is not verified, meaning that any user could request the data for anyone else.

Connelly tested the iOS version, but claims the problem is platform-agnostic, since the bug resides in the API, instead of the app itself.

Seeing someone’s call log might not seem like much at first, but Connelly warns that it could be a “powerful surveillance tool”, especially against high-profile targets such as journalists, government opponents, dissidents, and similar.

"Call metadata might seem harmless, but in the wrong hands, it becomes a powerful surveillance tool. With unrestricted access to another user's call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships," Connelly said.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Verizon addressed the flaw sometime in March 2025, but we don’t know for how long this information was exposed, so users should still take extra care.

Via BleepingComputer

Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article