A recently patched vulnerability in Verizon’s Call Filter iOS app allowed unauthorized access to call metadata for millions of Verizon Wireless customers. Discovered by security researcher Evan Connelly, the flaw exposed timestamps and phone numbers through an unauthenticated API endpoint, raising concerns about surveillance risks and third-party vendor security1, 5.
Technical Breakdown of the Vulnerability
The vulnerability resided in an API developed by Cequint, Verizon’s third-party call-filtering provider. By manipulating phone numbers in API requests, attackers could retrieve call logs without authentication1. The exposed data included:
- Call timestamps (date/time)
- Full phone numbers of callers/recipients
- Call duration metadata
Verizon patched the issue by mid-March 2025 after Connelly’s responsible disclosure. The company confirmed no evidence of exploitation in wild5.
Operational Impact and Threat Modeling
With 140 million+ potential victims (the app may be enabled by default), this data could enable:
| Threat Actor | Potential Use Case |
|---|---|
| Nation-states | Mapping social networks of targets via call patterns |
| Criminal groups | Identifying high-value targets for SIM-swapping |
| Corporate espionage | Tracking executive communications |
This aligns with recent China-linked campaigns like “Salt Typhoon” targeting telecom metadata10.
Mitigation and Detection Guidance
For organizations monitoring potential exploitation:
- Verify Call Filter app version ≥ 3.2.1 (patched release)
- Review Verizon API logs for unusual GET requests to /callhistory endpoints
- Monitor for anomalous call pattern analysis tools accessing internal networks
“Call metadata becomes a powerful surveillance tool in the wrong hands.”
— Evan Connelly 5
Broader Security Implications
The incident highlights two systemic issues:
Third-party risks: Verizon’s dependency on Cequint for app development created a supply-chain blind spot. Similar vulnerabilities have been found in other carrier apps using third-party SDKs7.
Telecom regulatory gaps: Unlike healthcare (HIPAA) or finance (PCI-DSS), call metadata lacks standardized protection frameworks despite its intelligence value3.
Conclusion
While Verizon has addressed this specific vulnerability, the case underscores the need for:
- Stricter API authentication in carrier apps
- Enhanced monitoring of call metadata access
- Vendor security assessments for telecom middleware
Security teams should treat call logs as sensitive as location data when assessing organizational exposure.
References
- “Hacking Verizon Call Records: A Breach,” Information Security Buzz, Apr. 2025.
- “Hacking Verizon Call Records,” Malware.news, Apr. 2025.
- “Hacking Verizon Call Records,” DataBreaches.net, 3 Apr. 2025.
- D. Morimanno, LinkedIn post, 5 Apr. 2025.
- “Call Records of Millions Exposed by Verizon App Vulnerability,” SecurityWeek, Apr. 2025.
- @Info_Sec_Buzz Twitter thread, 2 Apr. 2025.
- “Verizon Call Filter API Vulnerability,” IT Pro, Apr. 2025.
- “Verizon Contained China-Linked Cyber Incident,” CRN, Apr. 2025.
