About Google Cloud Service Accounts
This vulnerability was responsibly disclosed by Anand Prakash, PingSafe, and is now fixed. Special thanks to Zack Whittaker from TechCrunch for helping us with the entire disclosure process and helping in getting this critical vulnerability fixed.
The “Automatic call recorder” application is one of the popular applications used by iPhone users to record their calls.
The app is among top-grossing in the Business category of App Store currently #15 in the downloads in the Business Category worldwide.
Summary
We discovered this vulnerability while doing open-source intelligence across mobile applications in different categories. PingSafe decompiled the IPA file and figured out S3 buckets, hostnames, and other sensitive details used by the application.
The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint that leaked the cloud storage URL of the victim’s data.
Cloud Risk Description
This vulnerability existed in the “/fetch-sinch-recordings.php” API endpoint of the “Automatic Call Recorder” application. An attacker can pass another user’s number in the recordings request and the API will respond with the recording url of the storage bucket without any authentication. It also leaks the victim’s entire call history and the numbers on which calls were made.
