Verizon glitch put users’ call logs in the wrong hands, sparks real-time surveillance worries
As he writes on his blog, he identified a security vulnerability in Verizon‘s Call Filter app for iPhones and iOS devices, which allows a bad actor to get and see the call history logs of Verizon users.
The issue gets real concerning when taking into account that the bug allowed anyone with some technical knowledge to access the incoming call history of any Verizon phone number – without needing to hack into a phone, guess a password, or even alert the victim.
At the core of the problem was a vulnerability in how the app requested and received call log data. When users opened the app to view recent calls, it would send a request to a remote server, identifying the user’s phone number and asking for matching records. This should have been tightly restricted, so only the person logged into the app could see their own data.
Example of a vulnerable request. | Image credit – Evan Connelly
It turned out the app’s backend failed to properly verify that the request was coming from the actual account holder. This meant that a curious – or malicious – actor could change the request to ask for someone else’s number and receive their call log in return. No passwords, no permission, just a number and a little know-how.
To be clear, this bug didn’t expose text messages or full conversations. But even access to just incoming call history is deeply revealing. Timestamps and frequent numbers can paint a surprisingly detailed picture of a person’s habits, contacts, and whereabouts. For journalists, activists, police officers, or abuse survivors, this kind of leak could be incredibly dangerous.
What’s more, the system behind this flaw appears to have been managed not directly by Verizon, but by a lesser-known company called Cequint, which specializes in caller ID tech. This raises additional questions about how much user data is handled by third parties – and how secure that data really is.
Evan found and reported the bug in February 2025. Verizon has since fixed the issue, but the exposure could have affected many users, especially since Call Filter is likely active by default for most Verizon customers. It’s a stark reminder that even the simple act of checking who called you shouldn’t come at the cost of your privacy.BleepingComputer, which also reported on the story, contacted Verizon and the carrier’s response assures that Verizon “worked with the third-party app owner on a fix and patch”, which was then pushed in mid-March. The company claims there was “no indication that the flaw was exploited” and “only impacted iOS devices”, but now the issue has been “resolved”.
