A critical security vulnerability in the Verizon Call Filter iOS app exposed the incoming call records of potentially millions of Verizon Wireless customers, allowing unauthorized access to sensitive communication metadata without device compromise or user notification. 

Independent security researcher Evan Connelly discovered and responsibly disclosed the flaw on February 22, 2025, which has since been patched.

Verizon Call Filter App Vulnerability

The security flaw resided in a backend API endpoint used by the Call Filter app to retrieve call history. 

The vulnerable endpoint, https://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval, failed to perform proper authorization checks when processing requests for call logs.

“It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed-in user,” explained Connelly in his detailed disclosure. 

“In short, anyone could lookup data for anyone.”

The technical issue stemmed from improper JWT (JSON Web Token) validation. While the API required a valid JWT in the Authorization header, it critically failed to verify that the phone number specified in the X-Ceq-MDN header matched the authenticated user’s number in the JWT payload.

A typical JWT payload contained:

The server should have compared the subfield (representing the authenticated user) with the requested phone number to ensure proper access control but failed to do so.

Verizon Wireless customers Affected

The vulnerability potentially affected all Verizon Wireless customers with the Call Filter service enabled, which, according to Connelly, may be activated by default for many subscribers. 

While the exposed data was limited to incoming call logs with timestamps, this information could enable significant privacy intrusions.

“Consider scenarios involving survivors of domestic abuse, law enforcement officers, or public figures—individuals who rely on the confidentiality of their communication patterns,” noted Connelly. 

“Having their incoming call logs exposed is not just invasive; it’s dangerous.”

Call metadata, while not containing conversation content, can reveal communication patterns, frequent contacts, and when cross-referenced with other information, potentially expose sensitive relationships or physical movements.

The vulnerable API was hosted on infrastructure operated by Cequint, a telecom technology provider specializing in caller ID services. 

The domain analysis revealed the connection, raising questions about the security practices of third-party vendors handling sensitive telecom data.

Interestingly, according to Adlumin Threat Research, Cequint was previously reported as a victim in an Akira ransomware attack targeting the IT sector. The company’s website appears to be currently offline.

This incident follows other telecom security concerns, including alleged breaches of Verizon’s Push-to-Talk service reported in late 2024, highlighting ongoing challenges in securing telecommunications infrastructure across the industry.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try 50 Request for Free