The identified vulnerability allowed anyone to access users’ call recordings from the app’s cloud storage bucket, as well as an unauthenticated API endpoint, that exposed the cloud storage URLs containing data. By knowing a users’ phone number, this means that anyone could have accessed their private call recordings. The app maker has now fixed the security vulnerability through the issuing of a patch.
Furthermore, it appears that thousands of iOS apps that use public cloud services such as Amazon Web Services, Google Cloud, and Microsoft Azure, have improper setups that risk exposing user data. This means these types of weaknesses extend far and wide.
Looking at the issue, Anurag Kahol, CTO and co-founder of Bitglass considers the ramifications.
Kahol outlines to Digital Journal why the issue continues to be important, despite the problem being addressed: “Although the critical vulnerability identified in the app was patched, anyone could have easily accessed the thousands of call recordings during the timeframe of exposure simply by knowing a user’s phone number.”
As to what this means, Kahol explains: “This was not only a violation of data privacy, but also put the affected users at physical and cyber risk if their recorded conversations contained sensitive, personal details.”
In terms of the wider significance, Kahol states: “App makers that fail to invest in their own cybersecurity readiness must recognize that the fines they could face for noncompliance with data privacy laws are incredibly expensive – not to mention the cost of losing their customers’ trust. Companies storing sensitive data in the cloud must look to flexible and cost-effective security solutions that enforce real-time access control, manage the sharing of data with external parties, and prevent data leakage. It is only with these types of capabilities that organizations can obtain full visibility and control over cloud data.”