A security flaw in Verizon’s Call Filter feature allowed users to access the incoming call logs of other Verizon customers through an unprotected API request.
Security researcher Evan Connelly discovered the vulnerability on February 22, 2025, and Verizon patched it the following month. However, the exact duration of exposure remains unknown.
Call Filter is a free app that helps block spam calls, with a paid version offering advanced features like spam lookup and caller ID. The free version comes pre-installed and enabled by default on many Android and iOS devices sold by Verizon, making it widely used.
Connelly found that the app retrieved call logs from an API endpoint using a JSON Web Token (JWT) for authentication. However, the system failed to verify if the user requesting the data matched the phone number in the request. This meant anyone with a valid JWT could access another Verizon customer’s incoming call history by modifying a simple request header.
This flaw could be particularly dangerous for high-profile individuals like journalists, politicians, and law enforcement officers, as it could expose their contacts and daily routines. “Call metadata might seem harmless, but in the wrong hands, it becomes a powerful surveillance tool,” Connelly warned.
Although Verizon acted quickly to fix the issue, concerns remain about its security practices. The vulnerable API was hosted by Cequint, a separate telecommunications technology company with little public information available. Verizon has not yet responded to questions about how long the flaw existed or whether it was exploited before being fixed.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
