- The security researcher finds a bug in an API used in a Verizon mobile application
- The bug allowed the threat actors to see the newspapers of others
- It was found in February 2025 and set in March, but users should always be careful
A bug in a Verizon API allowed the malicious actors to see the incoming call newspapers of others until it is corrected.
Cybersecurity researcher Evan Connelly found the bug in the call filter, a free application Verizon is shipped with all iOS and Android devices sold directly via telecommunications to help users block spam calls, identify unknown numbers and avoid robocals.
Given the large Verizon subscriber base, the application probably has millions of users, as it offers features such as spam detection, caller ID, personal block lists and automatic blocking of high -risk calls. The call filter also has a premium version which adds the search for spam, personalized commands and the caller ID for unknown numbers.
Targeting journalists
As Connelly explained it, the application connects to a point of termination of the API where it recovers the history of the calls of the connected user, then posters it in the application. However, due to a configuration error in the API, the user’s phone number is not checked, which means that any user could request data from anyone else.
Connelly tested the iOS version, but says the problem is indigenous, because the bug resides in the API, instead of the application itself.
Seeing someone’s call newspaper may not seem much at first, but Connelly warns that it could be a “powerful surveillance tool”, in particular against high -level targets such as journalists, government opponents, dissidents and similar.
“Call metadata may seem harmless, but in bad hands, it becomes a powerful monitoring tool. With unrestricted access to the history of another user, an attacker could rebuild daily routines, identify frequent contacts and deduce personal relationships,” said Connelly.
Verizon addressed La Faille in March 2025, but we do not know how long this information has been exposed, users should therefore always take additional care.
Via Bleeping Compompute
