The listings featured on this site are from companies from which this site receives compensation and some are co-owned by our parent company. This influence: Rank and manner in which listings are presented.
Learn more
The How To Guide was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on The How To Guide are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

The How To Guide was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on The How To Guide are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Verizon API Flaw Exposed User Call Logs

Verizon API Flaw Exposed User Call Logs
Author Image Husain Parvez
Husain Parvez First published on April 08, 2025 Cybersecurity Researcher

A serious security vulnerability in Verizon’s Call Filter app allowed users to access the incoming call logs of any other Verizon customer by modifying an API request. The issue, discovered by cybersecurity researcher Evan Connelly, was disclosed to Verizon in February 2025 and patched by mid-March. Verizon confirmed the issue in a statement to BleepingComputer, adding that the vulnerability “only impacted iOS devices” and there was “no indication that the flaw was exploited.”

The bug was rooted in an API used by the Call Filter app, a spam-blocking tool pre-installed on most Verizon phones. According to Connelly, the app connected to an endpoint that accepted a user’s phone number in the request header without verifying it against the JWT token used for authentication. This made it possible for anyone with technical know-how to retrieve another user’s call history simply by swapping in a different phone number.

While the flaw did not expose call content or messages, metadata such as timestamps and contact patterns still pose significant privacy risks, particularly for high-risk individuals like journalists or law enforcement personnel. While seeing someone’s call logs might not seem like it would offer much information at first, Connelly emphasized it could be “a powerful surveillance tool” in the wrong hands.

“With unrestricted access to another user's call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships,” Connelly explained.

The API was hosted by Cequint, a third-party telecom vendor specializing in caller ID tech, raising further concerns about how Verizon handles customer data via external providers. No passwords, no permissions — just a number, and a little know-how were enough to exploit the flaw.

The incident also follows alarming cybersecurity trends highlighted in Verizon’s own 2024 Data Breach Investigations Report. As we reported earlier last year, vulnerability exploitation had surged 180% in a single year, with human error playing a role in 68% of breaches.

About the Author

  • Author Image Husain Parvez
  • Husain Parvez Cybersecurity Researcher

Husain Parvez is a Cybersecurity Researcher and News Writer at The How To Guide, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the The How To Guide Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address