A vulnerability in Verizon’s Name Filter characteristic allowed prospects to entry the incoming name logs for an additional Verizon Wi-fi quantity by an unsecured API request.
The flaw was found by safety researcher Evan Connelly on February 22, 2025, and was mounted by Verizon someday within the following month. Nonetheless, the overall interval of publicity is unknown.
Verizon’s Name Filter app is a free utility that provides customers spam detection and computerized name blocking. A paid model (Plus) provides a spam lookup and threat meter, the flexibility to use blocks by sort of caller, and obtain caller ID on unknown numbers.
The free model of the app comes pre-installed and enabled by default on eligible Android and iOS gadgets purchased straight from Verizon, and is believed for use on thousands and thousands of gadgets.
Connelly advised BleepingComputer that he solely examined the iOS app. Nonetheless, he famous that the Android app was additionally very seemingly impacted by the identical bug, as the difficulty was with the characteristic’s API moderately than the apps themselves.
Exposing name histories
When utilizing the Name Filter app, Connelly found that the app would connect with an API endpoint, https://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval, to retrieve the logged-in consumer’s incoming name historical past and show it within the app.
“This endpoint requires a JWT (JSON Net Token) within the Authorization header utilizing the Bearer scheme and makes use of an X-Ceq-MDN header to specify a mobile phone quantity to retrieve name historical past logs for,” explains Connelly.
“A JWT has three components: header, payload, and signature. It is usually used for authentication and authorization in internet apps.”
Connelly says the payload consists of numerous knowledge, together with the telephone variety of the logged-in consumer making the request to the API.
JWT payload
Supply: Connelly
Nonetheless, the researcher found that the telephone quantity within the JWT payload for the logged-in consumer was not verified in opposition to the telephone quantity whose incoming name logs had been being requested.
Consequently, any consumer might ship requests utilizing their very own legitimate JWT token, however exchange the X-Ceq-MDN header worth with one other Verizon telephone to retrieve their incoming name historical past.
Instance request despatched to the weak API
Supply: evanconnelly.github.io
This flaw is especially delicate for high-value targets like politicians, journalists, and regulation enforcement brokers, as their sources, contacts, and day by day routines may very well be mapped out.
“Name metadata might sound innocent, however within the fallacious palms, it turns into a strong surveillance device. With unrestricted entry to a different consumer’s name historical past, an attacker might reconstruct day by day routines, establish frequent contacts, and infer private relationships,” defined Connelly.
It’s unclear if charge limiting was in place to forestall mass scraping for thousands and thousands of subscribers, however Connolly advised BleepingComputer he noticed no indication of such a mechanism or an API gateway that normally implements a safety characteristic like this.
Poor safety practices
Though the researcher commends Verizon for its immediate response to his disclosure, he highlighted worrying practices the telecom agency has adopted in dealing with subscribers’ name knowledge.
The weak API endpoint utilized by Name Filter seems to be hosted on a server owned by a separate telecommunications know-how agency known as Cequint, which makes a speciality of caller identification providers.
Cequint’s personal web site is offline, and public details about them is proscribed, elevating considerations about how delicate Verizon name knowledge is dealt with.
BleepingComputer contacted Verizon to ask when the flaw was launched, if it was seen exploited previously, and if it impacted all Name Filter customers however has not acquired a response at the moment.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and defend in opposition to them.
