Evan Connelly, a security researcher, made a critical discovery that impacts millions of Verizon users: a significant privacy breach. He revealed on his blog that a security vulnerability existed in Verizon’s Call Filter app for iPhones and other iOS devices.
This flaw allowed unauthorized individuals to access and view the call history logs of Verizon users. The situation escalates when considering that this bug enabled anyone with basic technical skills to retrieve the incoming call history of any Verizon number without having to hack into a device or know the user’s password.
The vulnerability stemmed from how the app requested and received call log data. When users opened the app to check recent calls, it sent a request to a remote server with the user’s phone number to retrieve their records.
This process should have been safeguarded so that only the logged-in user could access their information. However, the app’s backend did not properly verify the request’s origin.
This oversight meant that someone could modify the request to query a different phone number and gain access to another person’s call history effortlessly. Although this vulnerability did not expose text messages or conversations, having access to incoming call records can be revealing.
Timestamps and frequently called numbers can lead to insights about a person’s daily activities, contacts, and locations, which could be especially perilous for vulnerable groups such as journalists, activists, or abuse survivors. Interestingly, the system managing this flaw was not directly overseen by Verizon but by Cequint, a lesser-known firm specializing in caller ID technology.
This fact raises concerns about how third-party companies handle user data and its security. Evan reported the issue in February 2025, and Verizon addressed it with a patch in mid-March.
The company maintained that there was no indication of exploitation of the flaw and that it only affected iOS devices. Nonetheless, this incident serves as a stark reminder of the importance of privacy, even in routine operations like checking call history.