Critical Flaw in Verizon Call Filter App Exposes Millions of Users’ Call Logs

Overview of the Security Breach

A significant security loophole was identified in the Verizon Call Filter app for iOS, potentially compromising the incoming call details of millions of users. This vulnerability allowed unauthorized access to private call metadata without the need to hack the device or alert the user.

Discovery and Resolution

Evan Connelly, an independent security researcher, discovered this critical flaw and reported it responsibly on February 22, 2025. The issue has been successfully resolved since its identification.

Detailed Breakdown of the Vulnerability

The security gap was traced back to a backend API used by the Call Filter app to access call history. This API endpoint failed to conduct proper authorization checks, thus exposing user data.

Connelly highlighted, “By altering the submitted phone number, it was possible to access call data for numbers not linked to the user logged in—essentially enabling data access on virtually any Verizon user.”

Technical Details

The vulnerability originated from inadequate JWT (JSON Web Token) validation procedures. Although the API required a JWT in the Authorization header, it did not verify that the phone number in the X-Ceq-MDN header matched the number associated with the authenticated user in the JWT’s payload.

Potential Impact on Verizon Wireless Customers

All Verizon Wireless customers with the activated Call Filter feature, which is often enabled by default, were at risk due to this vulnerability.

• The breach exposed incoming call logs including timestamps, which could lead to severe privacy violations.
• This exposure is particularly hazardous for people like survivors of domestic abuse, law enforcement officers, or public figures who depend on confidential communications.

Implications for Privacy

Call metadata, while not revealing the content of the conversations, provides insights into communication patterns and frequently contacted individuals. In certain contexts, this information can disclose sensitive connections or locations.

Broader Security Concerns

The compromised API was hosted on servers managed by Cequint, a firm specializing in caller ID technologies. This breach not only raises questions about third-party security measures but also highlights ongoing security challenges in the telecom sector.

Following this breach are recent security incidents including an alleged attack on Verizon’s Push-to-Talk services and the apparent offline status of Cequint’s website post an Akira ransomware attack, underscoring the need for heightened cybersecurity vigilance.