A security flaw in Verizon’s Call Filter API allowed unauthorized access to customers’ incoming call histories due to improper authentication checks. The vulnerability, discovered by researcher Evan Connelly in February 2025, exposed metadata such as call timestamps and frequencies for any Verizon Wireless number through a misconfigured API endpoint hosted by third-party provider Cequint1.
Technical Breakdown of the Vulnerability
The exploit targeted the API endpoint https://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval, which failed to validate whether the authenticated user in the JWT token matched the phone number specified in the X-Ceq-MDN header2. This allowed attackers to modify the header to retrieve call logs for arbitrary Verizon numbers. The API lacked rate limiting, making mass data scraping feasible. According to technical analysis, the vulnerability specifically affected iOS versions of the Call Filter app, though Android implementations may have shared similar risks3.
Impact and Mitigation
Verizon patched the vulnerability in March 2025 after being notified by Connelly. While no evidence of exploitation was found, the exposure posed significant privacy risks given call metadata can reveal behavioral patterns and sensitive relationships. High-profile individuals using Verizon services were particularly vulnerable to surveillance1. The incident highlights broader concerns about third-party API security in telecom infrastructure, especially given Cequint’s history of security incidents including a prior ransomware attack4.
Security Recommendations
Organizations should implement the following measures to detect and prevent similar API vulnerabilities:
- Enforce strict token-to-resource ownership validation for all API requests
- Implement rate limiting and anomaly detection for sensitive endpoints
- Conduct regular audits of third-party API integrations
- Monitor call log APIs for unusual access patterns
Verizon users should update their Call Filter apps and review call history for anomalies. The case demonstrates how seemingly minor authentication oversights can lead to significant data exposure, particularly in systems handling sensitive communications metadata5.
References
- “Verizon Call Filter API flaw exposed customers’ incoming call history,” BleepingComputer, [Online]. Available: https://www.bleepingcomputer.com/news/security/verizon-call-filter-api-flaw-exposed-customers-incoming-call-history/
- “Verizon security flaw could allow hackers to view entire call history,” TechRadar, [Online]. Available: https://www.techradar.com/pro/security/verizon-security-flaw-could-allow-hackers-to-view-entire-call-history
- “Verizon Call Filter app vulnerability,” CybersecurityNews, [Online]. Available: https://cybersecuritynews.com/verizon-call-filter-app-vulnerability/
- “Verizon Call Filter data leak,” CyberNews, [Online]. Available: https://cybernews.com/security/verizon-call-filter-data-leak/
- E. Connelly, [Twitter Thread], Feb. 22, 2025. [Online]. Available: https://twitter.com/BleepinComputer/status/1907520455444988216
