A critical vulnerability in the Verizon Call Filter app for iOS exposed incoming call records of potentially all Verizon Wireless customers, allowing unauthorized access to sensitive metadata without authentication or device compromise.
The flaw was discovered by independent security researcher Evan Connelly on February 22, 2025, and responsibly disclosed to Verizon the same day. The researcher observed that a backend API used by the Call Filter app failed to verify that the phone number requested for call history matched the authenticated user’s number. As a result, any attacker with a valid JWT token — readily available to logged-in users — could manipulate the request header to retrieve call logs for any Verizon customer.
The vulnerable endpoint, ‘https://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval,' accepted a JSON Web Token (JWT) in the Authorization header and a phone number in the X-Ceq-MDN header. Although the JWT’s payload included the authenticated user's number as the sub (subject) field, the server did not enforce a check to ensure this matched the phone number being requested — an elementary yet critical oversight in access control.
Evan Connelly
Verizon Call Filter is a service designed to protect users from robocalls and spam, and is enabled by default for many, if not all, Verizon Wireless customers. The app is powered by infrastructure operated by Cequint, a lesser-known telecom technology provider specializing in caller ID services. Cequint’s involvement was inferred through domain analysis, as the vulnerable API was hosted on a server tied to the company (cequintvzwecid.com) and registered via GoDaddy — a peculiar choice for a major telecom operation.
Evan Connelly
Massive potential exposure
The implications of this flaw were severe. The exposed data included lists of received calls and timestamps, revealing patterns of communication and potential physical movement when cross-referenced with social media or other public data. While no content of the calls was accessible, call metadata alone is a powerful surveillance vector, capable of endangering sensitive individuals such as journalists, law enforcement officers, abuse survivors, and political figures.
The vulnerability also affected users beyond those specifically targeted. Because many Verizon subscribers likely had Call Filter enabled by default, the scope of potential exposure encompassed a large swath of the U.S. mobile user base. Even though only incoming call records were leaked, attackers could still piece together communication patterns — especially if multiple targeted users were within the Verizon network.
Following responsible disclosure, Verizon acknowledged the issue on February 24, 2025, and confirmed it was fixed by March 25, 2025, after the researcher verified the vulnerability had been mitigated. The exact date of patching remains unclear.
This incident highlights broader concerns about the role and accountability of third-party vendors like Cequint in managing sensitive telecom infrastructure. Cequint’s website is currently offline, and little public information is available about their data handling policies or security posture — raising questions about the oversight of firms entrusted with access to high-value telecom data.
Users should consider disabling services like Call Filter if not needed, especially when privacy is paramount. Periodic reviews of app permissions and account settings are also recommended to ensure minimal exposure to data leak risks.
Leave a Reply