通过Verizon iOS应用入侵数百万美国人的通话记录

通过Verizon iOS应用入侵数百万美国人的通话记录
Hacking the call records of millions of Americans

原始链接: https://evanconnelly.github.io/post/hacking-call-records/

我在Verizon Call Filter iOS 应用中发现了一个严重的安全性漏洞，允许未授权访问客户通话记录。通过操纵网络请求中的X-Ceq-MDN头部，任何人都可以检索任何Verizon Wireless用户的来电记录，无需身份验证或设备入侵。该漏洞源于应用未能验证请求的电话号码是否与用户的已验证身份匹配，从而暴露了敏感的通话元数据，例如时间戳和呼叫号码。这些信息可能被用于监控，揭示个人日常活动、人际关系和联系模式，对记者、执法人员和家庭暴力幸存者等个人构成严重风险。受影响的API端点托管在一个可能与来电显示服务公司Cequint相关的域名上，这引发了对数据安全实践的担忧。我于2025年2月22日向Verizon报告了这个问题，他们迅速确认并在2025年3月25日解决了这个问题。虽然只返回了来电，但通过受影响的Verizon客户访问去电的可能性，可能通过交叉引用扩展到任何Verizon客户的完整通话记录。

Hacker News 最新 | 过去 | 评论 | 提问 | 展示 | 招聘 | 提交登录通过Verizon iOS应用入侵数百万美国人的通话记录 (evanconnelly.github.io) voxadam 2小时前 12分 | 隐藏 | 过去 | 收藏 | 1条评论 MPSFounder 4分钟前 [–] 我希望他们为此支付了赏金（> 20k）。否则，在我看来，做正确的事情并不正确。他们的MBA们不会从中吸取教训，而只会将其掩盖。回复加入我们，参加6月16日至17日在旧金山举办的AI创业学校！指导原则 | 常见问题 | 列表 | API | 安全 | 法律 | 申请YC | 联系我们搜索：

原文

Imagine if anyone could punch in a phone number from the largest U.S. cell carrier and instantly retrieve a list of its recent incoming calls—complete with timestamps—without compromising the device, guessing a password, or alerting the user.

Now imagine that number belongs to a journalist, a police officer, a politician, or someone fleeing an abuser.

This capability wasn’t a hypothetical.

Cover Image

I recently identified a security vulnerability in the Verizon Call Filter iOS app which made it possible for an attacker to leak call history logs of Verizon Wireless customers.

Call logs can be quite valuable, especially for nation states, as recently noted in coverage of the Salt Typhoon breach of telecom networks: https://www.nytimes.com/2024/10/25/us/politics/trump-vance-hack.html

Given that this data is of such value, you’d expect that both how it’s accessed, and who is given access would be closely guarded. However, as I found, this may not be the case.

High level overview:

In order to display your recent history of received calls in the Verizon Call Filter app, a network request is made to a server. That request contains various details such as your phone number and the requested time period for call records. The server then responds with a list of calls and timestamps for each.

So surely the server validated that the phone number being requested was tied to the signed in user? Right? Right?? Well&mldr;no. It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed in user.

In short, anyone could lookup data for anyone.

This is of course a privacy concern for all. But for some this could also represent a safety concern.

Consider scenarios involving survivors of domestic abuse, law enforcement officers, or public figures—individuals who rely on the confidentiality of their communication patterns. Having their incoming call logs exposed is not just invasive; it’s dangerous.

Call metadata might seem harmless, but in the wrong hands, it becomes a powerful surveillance tool. With unrestricted access to another user’s call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships.

Timestamps can be cross-referenced with social media or public sightings to map physical movements. Repeated numbers expose private or burner lines, compromising whistleblowers, journalists, or abuse survivors.

This wasn’t just a data leak. It was a real-time surveillance mechanism waiting to be abused.

Technical details:

The Verizon Call Filter app uses the endpoint https://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval to lookup call history for the authenticated user and display it in the app.

This endpoint requires a JWT (JSON Web Token) in the Authorization header using the Bearer scheme and uses an X-Ceq-MDN header to specify a cell phone number to retrieve call history logs for.

A JWT has three parts: header, payload, and signature. It’s often used for authentication and authorization in web apps.

The payload in this case looked like:

{
    "sub": "SIGNED_IN_USER_PHONE_NUMBER_HERE",
    "iat": "1740253712",
    "iss": "df88f1ed1dfd9a903e4c8dca7f00089e134c6c4e0a566cd565147ba1dadf78a6",
    "secret": "REDACTED",
    "alg": "ECDSA-256",
    "exp": "1740255512"
}

sub stands for subject — it identifies who the token is about (usually the user ID). In this case that is a phone number of the signed in user.

What should have been happening, and did seem to take place on other endpoints for additional app functionality, is that the server would compare the phone number specified in the request to the user identifier (sub) in the JWT, to ensure that the user requesting the information should have access to it.

However, the /clr/callLogRetrieval endpoint was not validating that the phone number specified in the X-Ceq-MDN header matches the sub in the JWT payload, meaning it was possible to lookup call history logs for any phone number within the application by passing the desired phone number in the value of that header.

Example Vulnerable Request: HTTP Request

The issue I discovered impacted at least those who have the Verizon Call Filter service enabled (I did not test a number which had it disabled; I can’t rule out whether or not all Verizon numbers could have been impacted).

Based on https://www.verizon.com/support/call-filter-faqs/ and https://www.verizon.com/about/news/verizon-helps-customers-avoid-15-billion-robocalls I believe this service may be on by default for many/all Verizon Wireless customers, so in either case, it does seem this issue impacted either nearly all, or all customers.

While this endpoint only returned received calls for the specified phone number, I don’t believe that to be a major limitation on impact. For one, that’s still an immense amount of information. But also, for a targeted individual, this could stretch into a partial picture of outgoing calls as well, provided the outgoing calls were to other impacted Verizon customers.

Who is Cequint?

Interestingly, the domain name that hosts the API for this app is registered at GoDaddy, which is a bit unusual for a large company, especially one as big as Verizon.

WHOIS Data This led me to examine the domain name more closely, upon which I noticed it seemed to represent “CEQUINT VZW ECID”

VZW ECID would seem to be the Verizon Caller ID app, as the Android APK has the package name com.vzw.ecid https://play.google.com/store/apps/details?id=com.vzw.ecid&hl=en_US

But what about CEQUINT? That would seem to be a separate company.

The website http://www.cequint.com/ looks to be down, but crunchbase shows they are a telecom technology company specializing in caller ID services.

https://www.crunchbase.com/organization/cequint Cequint

As such, based on the GoDaddy registrar of the domain, and the Cequint keyword in the domain, I believe this issue may have ultimately lied in a server owned by Cequint.

This does raise questions: how much data does this obscure company without a website of their own have? And how well secured is it?

Timeline

2/22/2025 - Discovered the issue and reported to Verizon
2/24/2025 - Acknowledgment from Verizon of my report
3/23/2025 - I requested an update as this appeared to me to be fixed
3/25/2025 - Confirmation from Verizon that issue is resolved

I do want to credit Verizon for a quick response and fix. While I don’t have the exact date they fixed this issue, I believe it was sooner than when I retested the issue and noted on my side that it looked to be resolved. They were also prompt to acknowledge my report.