"This endpoint requires a JWT (JSON Web Token) in the Authorization header using the Bearer scheme and uses an X-Ceq-MDN header to specify a cell phone number to retrieve call history logs for," explains Connelly. As a result, any user could send requests using their own valid JWT token, but replace the X-Ceq-MDN header value with another Verizon phone to retrieve their incoming call history. When using the Call Filter app, Connelly discovered that the app would connect to an API endpoint, to retrieve the logged-in user's incoming call history and display it in the app. A vulnerability in Verizon's Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request. However, the researcher discovered that the phone number in the JWT payload for the logged-in user was not verified against the phone number whose incoming call logs were being requested. BleepingComputer contacted Verizon to ask when the flaw was introduced, if it was seen exploited in the past, and if it impacted all Call Filter users but has not received a response at this time. Although the researcher commends Verizon for its prompt response to his disclosure, he highlighted worrying practices the telecom firm has followed in handling subscribers' call data. With unrestricted access to another user's call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships," explained Connelly. The vulnerable API endpoint used by Call Filter appears to be hosted on a server owned by a separate telecommunications technology firm called Cequint, which specializes in caller identification services. Verizon's Call Filter app is a free utility that offers users spam detection and automatic call blocking. Cequint's own website is offline, and public information about them is limited, raising concerns about how sensitive Verizon call data is handled. Connelly says the payload includes various data, including the phone number of the logged-in user making the request to the API. The flaw was discovered by security researcher Evan Connelly on February 22, 2025, and was fixed by Verizon sometime in the following month.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 02 Apr 2025 19:50:22 +0000