Security researcher Evan Connelly recently identified a security vulnerability in the Verizon Call Filter iOS app which made it possible for a malicious actor to leak call history logs of Verizon Wireless customers.
Call logs can be highly valuable, particularly for nation-states, as they enable intelligence agencies to map social networks, track high-value targets, figure out communication patterns, and correlate metadata with other surveillance data to uncover covert operations or political affiliations. This was evident in the recent coverage of the Salt Typhoon breach of telecom networks.
“Given that this data is of such value, you’d expect that both how it’s accessed, and who is given access would be closely guarded. However, as I found, this may not be the case,” Connelly said.
He said in order to display the recent history of received calls in the Verizon Call Filter app, a network request is made to a server, which contains details such as the phone number and the requested time period for call records. The server then responds with a list of calls and timestamps for each.
“So surely the server validated that the phone number being requested was tied to the signed in user? Right? Right?? Well…no. It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed in user. In short, anyone could lookup data for anyone.”
Posing Serious Safety Risks
Connelly said while this a privacy concern for everyone, for some, their safety could be at risk, too.
“Consider scenarios involving survivors of domestic abuse, law enforcement officers, or public figures—individuals who rely on the confidentiality of their communication patterns. Having their incoming call logs exposed is not just invasive; it’s dangerous.”
While call metadata may seem harmless, in the wrong hands, Connelly says it becomes a powerful surveillance tool. “With unrestricted access to another user’s call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships. Timestamps can be cross-referenced with social media or public sightings to map physical movements. Repeated numbers expose private or burner lines, compromising whistleblowers, journalists, or abuse survivors.
“This wasn’t just a data leak. It was a real-time surveillance mechanism waiting to be abused,” he explained.
How it Works
The app retrieves call histories by sending a request to the endpoint , including a JSON Web Token (JWT) in the Authorization header and the target phone number in the X-Ceq-MDN header.
The JWT’s payload contains the sub field, representing the signed-in user’s phone number. However, the server did not validate that the phone number in the X-Ceq-MDN header matched the sub field in the JWT payload.
This oversight allowed attackers to specify any Verizon phone number in the X-Ceq-MDN header and access that number’s call history without proper authorization.
Links to Caller ID and Call Authentication Services
The vulnerability was linked to Cequint, a subsidiary of Transaction Network Services (TNS), which provides caller ID and call authentication services for major telecom carriers, including Verizon. Cequint’s backend infrastructure was responsible for processing call log requests in the Verizon Call Filter app.
The security flaw arose because Cequint’s API allowed unauthorized users to request call logs for arbitrary Verizon numbers, as it did not enforce a proper validation check between the JWT’s sub field (which should represent the authenticated user) and the X-Ceq-MDN header (which specified the target phone number).
This misconfiguration meant that a threat actor with a valid JWT—likely from their own Verizon account—could supply any other Verizon number and retrieve its call history.
Raising Serious Questions
Since Cequint provides similar services to other carriers, the discovery of this flaw begs the question about whether similar vulnerabilities could exist in other telecom implementations, as well as how much data does this obscure company without a website of its own have? And how well secured is it?
“I do want to credit Verizon for a quick response and fix. While I don’t have the exact date they fixed this issue, I believe it was sooner than when I retested the issue and noted on my side that it looked to be resolved. They were also prompt to acknowledge my report,” Connelly ended.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.