- Security researcher finds bug in an API used in a Verizon mobile app
- The bug allowed threat actors to view other people’s call logs
- It was found in February 2025 and fixed in March, but users should still take care
A bug in a Verizon API allowed malicious actors to view other people’s incoming call logs until it was fixed.
Cybersecurity researcher Evan Connelly found the bug in Call Filter, a free app Verizon ships with all iOS and Android devices sold directly through the telco to help users block spam calls, identify unknown numbers, and avoid robocalls.
Given Verizon’s large subscriber base, the app likely has millions of users, as it offers features like spam detection, caller ID, personal block lists, and automatic blocking of high-risk calls. Call Filter also has a premium version which adds spam lookup, custom controls, and caller ID for unknown numbers.
Targeting journalists
As Connelly explained, the app connects to an API endpoint where it retrieves the logged-in user’s incoming call history, and then displays it in the app. However, due to a misconfiguration in the API, the user’s phone number is not verified, meaning that any user could request the data for anyone else.
Connelly tested the iOS version, but claims the problem is platform-agnostic, since the bug resides in the API, instead of the app itself.
Seeing someone’s call log might not seem like much at first, but Connelly warns that it could be a “powerful surveillance tool”, especially against high-profile targets such as journalists, government opponents, dissidents, and similar.
“Call metadata might seem harmless, but in the wrong hands, it becomes a powerful surveillance tool. With unrestricted access to another user’s call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships,” Connelly said.
Verizon addressed the flaw sometime in March 2025, but we don’t know for how long this information was exposed, so users should still take extra care.
Via BleepingComputer
