A serious vulnerability in Verizon’s widely-used Call Filter app left millions of users at risk by allowing unauthorized access to other customers’ incoming call histories through a misconfigured API.
Security researcher Evan Connelly uncovered the flaw on February 22, 2025. The issue was later patched by Verizon in mid-March. However, it’s unclear how long the flaw existed before it was discovered—or whether it was exploited in the wild.
Verizon’s Call Filter app, which comes pre-installed and enabled by default on eligible Android and iOS devices sold directly by Verizon, is designed to help users identify spam and block unwanted calls. A premium tier, Call Filter Plus, adds enhanced features such as caller ID for unknown numbers, risk ratings, and custom call-blocking preferences.
Vulnerable API Left Call Logs Exposed
According to Connelly, the flaw wasn’t tied to the app itself but rather to an insecure backend API endpoint. This API was responsible for retrieving the incoming call history associated with a user’s account. It required a JSON Web Token (JWT) for authentication and a separate X-Ceq-MDN header that specified which Verizon number’s call logs were being requested.
Normally, a system like this should verify that the phone number in the request matches the phone number tied to the JWT. But in this case, the server failed to cross-check those values.
That meant any logged-in user with a valid JWT could simply modify the X-Ceq-MDN header to point to another Verizon number—and instantly retrieve someone else’s incoming call history.
“This kind of oversight turns call metadata into a surveillance tool,” said Connelly. “It can reveal routines, frequent contacts, and even personal relationships.”
iOS Confirmed Affected, Android Likely Vulnerable Too
Connelly conducted his tests using the iOS version of Call Filter, but he suspects Android users were equally exposed, since the flaw was rooted in the API and not the client app.
While Verizon stated that the bug only affected iOS devices, the cross-platform nature of APIs suggests Android devices could have been at risk too. Verizon has not clarified the full scope of the issue.
A Goldmine for Surveillance
Although call metadata might sound trivial compared to content like call recordings or text messages, it’s a treasure trove for attackers—especially when high-profile individuals like politicians, law enforcement, or journalists are involved.
With unrestricted access to this metadata, bad actors could map out someone’s daily movements, deduce patterns, identify associates, and uncover sensitive relationships.
Worryingly, there was no sign of rate limiting or API gateways to prevent large-scale abuse. That means someone could have potentially scraped vast amounts of data without triggering alarms.
Verizon Partner Cequint Raises More Questions
The API in question was hosted on infrastructure managed by Cequint, a lesser-known telecommunications firm specializing in caller identification technology. Connelly expressed concern over Verizon outsourcing sensitive data operations to a third party with limited public transparency.
At the time of writing, Cequint’s website was offline, raising further questions about their role and data security practices.
Verizon Responds
After initially remaining silent, Verizon issued a statement to BleepingComputer confirming that they had patched the issue in March 2025. According to a company spokesperson, there was no evidence of active exploitation. They also emphasized that only iOS users were affected.
“Verizon was made aware of this vulnerability and worked with the third-party app owner on a fix and patch that was pushed in mid-March… Verizon appreciates the responsible disclosure of the finding by the researcher and takes the security very seriously.”
Still, the incident has raised concerns about Verizon’s handling of user data and its reliance on third-party services for critical backend functionality.
