A serious vulnerability in Verizon’s Call Filter iOS application could have exposed the incoming call records of millions of users,
according to cybersecurity researcher Evan Connelly, who discovered the flaw. The Call Filter app is designed to identify and block spam calls for Verizon users, but a lack of proper access control on its backend system introduced a critical privacy risk.
Connelly found that when the app retrieved a user’s incoming call history, it sent a request to a server that included the user’s phone number and a timeframe. However, the backend did not verify that the phone number in the request actually belonged to the authenticated user. As a result, an attacker could have easily modified the request to fetch call records for any arbitrary phone number, potentially accessing millions of users’ call data.
The leaked information included only phone numbers and timestamps of incoming calls—no names, messages, or content—but Connelly warned that even this seemingly limited data could be used as a powerful surveillance tool. Call metadata, he explained, can be cross-referenced with social media or other public data to track someone’s daily routines, identify close contacts, or even compromise the privacy of whistleblowers, journalists, and abuse survivors.
It remains unclear whether the flaw affected only users with the Call Filter service enabled or all Verizon customers. Connelly suspects the service may be enabled by default, meaning the issue could have impacted nearly all 140 million Verizon Wireless subscribers.
While there is no evidence that the vulnerability was exploited in the wild, Verizon has since patched the issue and confirmed it only affected iOS devices. The company thanked Connelly for his responsible disclosure and stated it takes security “very seriously.”
Interestingly, Verizon pointed out that the Call Filter app is actually developed by Cequint, a third-party company specializing in caller ID services—something Connelly also confirmed in his research.
This isn’t the first time Evan Connelly has uncovered significant vulnerabilities—he previously found a flaw in a Tesla tool that could have allowed attackers to take over former employees’ accounts.
The incident highlights the importance of robust authentication checks in mobile apps, especially those handling sensitive user data. With the growing value of metadata for nation-state and criminal actors, even small oversights can have widespread implications for personal privacy and national security.
