Flaw in Verizon call record requests put millions of Americans at risk

Security researcher Evan Connelly discovered an enormous flaw affecting one of the largest telecommunications companies in the world that could allow any single person to view the recent incoming call log for potentially any Verizon phone number.

“In short, anyone could lookup data for anyone,” Connelly said.

A vulnerability in the Verizon Call Filter iOS app allowed anyone to request the call logs of millions of US Verizon customers. The Verizon Call Filter app for iOS allows customers to view a log of their recent calls. This log will show them the phone numbers and an associated timestamp.

To request such a log the app sends a request to a server to fetch the data belonging to the phone number in question.  The network request to the server contains various details such as your phone number and the requested time period for call records. The server then responds with a list of calls and timestamps.

But, as it turns out, there were no checks to make sure that the number the information was requested about and the number that sent the request matched.

So, the researcher was able to craft requests for any given phone number and get the call logs for that number, without the ownership of that number. The consequence: anyone could look up data for any Verizon Wireless customer.

The researcher did not check whether every Verizon Wireless customer was affected by this flaw.

“The issue I discovered impacted at least those who have the Verizon Call Filter service enabled (I did not test a number which had it disabled; I can’t rule out whether or not all Verizon numbers could have been impacted).”

But it looks as if the Verizon Call Filter is enabled by default, so at least a great many Verizon Wireless customers would be impacted.

This is not just a privacy concern. For some people this could be a security hazard. For people in a domestic abuse situation, public figures, or those of interest to resourceful cyberattackers, a history of calls and frequent callers falling in the wrong hands can put people at physical risk or even compromise national security.

An attacker with access to someone’s call history could figure out their daily habits, see who they talk to most often, and guess their personal relationships. There is no available information whether this flaw was ever actively abused.

Thankfully, Verizon took the issue seriously and fixed it promptly.

Timeline:

• 2/22/2025 – Issue discovered and reported to Verizon
• 2/24/2025 – Acknowledgment from Verizon of the report
• 3/23/2025 – Researcher requested an update as the issue appeared fixed
• 3/25/2025 – Confirmation from Verizon that the issue is resolved

Verizon call filter

The Verizon Call Filter is a useful tool against robocalls, since it’s a screening and filtering tool that helps you manage nuisance calls. Verizon uses a Know Your Customer (KYC) scoring system to identify spam call networks and block their calls before they reach your phone. Based on your settings, blocked calls will either go to voicemail or stopped altogether.

If you no longer want to use Call Filter, it’s easy to turn it off. Here’s how:

On iPhone:

1. Open the Call Filter app.
2. Go to Settings.
3. Tap Manage Plan and select Turn Off Call Filter.

Alternatively, you can disable it from your iPhone’s settings by going to Settings > Phone > Call Blocking & Identification and toggling off the Call Filter option.

On Android:

1. Open the Call Filter app (it might already be installed on your device).
2. Tap Account, then Manage Plan.
3. Follow the steps to disable Call Filter.

As an alternative you can use Malwarebytes Mobile Security for iOS or Malwarebytes Mobile Security for Android to block scam calls.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.