A security vulnerability has been discovered in a popular iPhone call recording app, potentially exposing the call recordings of thousands of users.

The flaw in the Automatic Call Recorder app was discovered by PingSafe AI security researcher Anand Prakash. It was found that anyone could access another user's recordings as long as they knew the other user's phone number.

According to Prakash, it is not as simple as entering a user's phone number to access all of that user's recorded calls. But it is not that difficult either. Prakash achieved this using the network sniffing proxy tool "Burp Suite.

Burp Suite, which is widely used by security researchers, allowed Prakash to see and modify the network traffic to and from the iPhone's Automatic Call Recorder. It allowed him to change a registered phone number to that of another registered user.

This vulnerability illustrates the inherent danger of storing app data in cloud storage and not properly protecting it, as in this case.

According to TechCrunch, which was able to reproduce the exploit, Automatic Call recorder stores recordings in a cloud storage bucket hosted by Amazon Web Services. That bucket stored approximately 130,000 recordings that occupied 300 gigabytes of space.

According to a report released last week by mobile security firm Zimperium, leaks of smartphone apps are not uncommon. The company found nearly 18,000 Android and iOS apps that had not properly configured their cloud storage databases. The report does not name the apps, but that means millions of users could be at risk of a data breach.

TechCrunch contacted the developer of Automatic Call Recorder, and the developer immediately patched the exploit on March 6. Therefore, if you update your Automatic Call Recorder to version 2.26, there is no need to rush to delete all of your recordings.