Verizon Name Filter API flaw uncovered prospects’ incoming name historical past

A vulnerability in Verizon’s Name Filter function allowed prospects to entry the incoming name logs for an additional Verizon Wi-fi quantity via an unsecured API request.

The flaw was found by security researcher Evan Connelly on February 22, 2025, and was mounted by Verizon someday within the following month. Nonetheless, the whole interval of publicity is unknown.

Verizon’s Name Filter app is a free utility that gives customers spam detection and computerized name blocking. A paid model (Plus) provides a spam lookup and danger meter, the power to use blocks by sort of caller, and obtain caller ID on unknown numbers.

The free model of the app comes pre-installed and enabled by default on eligible Android and iOS units purchased straight from Verizon, and is believed for use on thousands and thousands of units.

Connelly instructed BleepingComputer that he solely examined the iOS app. Nonetheless, he famous that the Android app was additionally very probably impacted by the identical bug, as the difficulty was with the function’s API somewhat than the apps themselves.

Exposing name histories

When utilizing the Name Filter app, Connelly found that the app would connect with an API endpoint, https://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval, to retrieve the logged-in consumer’s incoming name historical past and show it within the app.

“This endpoint requires a JWT (JSON Internet Token) within the Authorization header utilizing the Bearer scheme and makes use of an X-Ceq-MDN header to specify a cellular phone quantity to retrieve name historical past logs for,” explains Connelly.

“A JWT has three elements: header, payload, and signature. It is usually used for authentication and authorization in internet apps.”

Connelly says the payload contains varied knowledge, together with the telephone variety of the logged-in consumer making the request to the API.

Nonetheless, the researcher found that the telephone quantity within the JWT payload for the logged-in consumer was not verified in opposition to the telephone quantity whose incoming name logs had been being requested.

Because of this, any consumer might ship requests utilizing their very own legitimate JWT token, however exchange the X-Ceq-MDN header worth with one other Verizon telephone to retrieve their incoming name historical past.

This flaw is especially delicate for high-value targets like politicians, journalists, and legislation enforcement brokers, as their sources, contacts, and every day routines might be mapped out.

“Name metadata might sound innocent, however within the incorrect arms, it turns into a robust surveillance instrument. With unrestricted entry to a different consumer’s name historical past, an attacker might reconstruct every day routines, establish frequent contacts, and infer private relationships,” defined Connelly.

It’s unclear if charge limiting was in place to stop mass scraping for thousands and thousands of subscribers, however Connolly instructed BleepingComputer he noticed no indication of such a mechanism or an API gateway that often implements a security function like this.

Poor security practices

Though the researcher commends Verizon for its immediate response to his disclosure, he highlighted worrying practices the telecom agency has adopted in dealing with subscribers’ name knowledge.

The weak API endpoint utilized by Name Filter seems to be hosted on a server owned by a separate telecommunications know-how agency referred to as Cequint, which makes a speciality of caller identification companies.

Cequint’s personal web site is offline, and public details about them is proscribed, elevating considerations about how delicate Verizon name knowledge is dealt with.

BleepingComputer contacted Verizon to ask when the flaw was launched, if it was seen exploited previously, and if it impacted all Name Filter customers however has not obtained a response presently.