https://community.isc2.org/t5/Industry-News/Share-your-calls-Even-if-you-don-t-want-to/m-p/43945#M5337 <P>An iPhone app, called Acr call recorder, allows you to record your phone calls.&nbsp; A lot of people find this handy.&nbsp; (I'm not quite sure why.&nbsp; When I'm done with a call, I've got notes and action items, but I don't need the whole call.&nbsp; But, to each his or her own ...)</P><P>&nbsp;</P><P>Well, apparently <A href="https://nakedsecurity.sophos.com/2021/03/11/how-confidential-are-your-calls-this-iphone-app-shared-them-with-everyone/" target="_blank" rel="noopener">it's quite insecure</A>.&nbsp; For one thing, it stores you calls in the cloud.&nbsp; For another, it uses no authentication when it retrieves them.&nbsp; It also uses insecure direct object referencing (IDOR), and so, with a little guesswork and experimentation, anybody can retrieve any calls at all from the system.</P><P>&nbsp;</P><P>By the way, the "community," for the most part, also uses IDOR.&nbsp; Now, most of the "community" is open to the world, so this is hardly a problem (or news), but I detailed some of it in <A href="https://community.isc2.org/t5/Tech-Talk/An-experiment-in-re-URLing/m-p/34471#M2902" target="_blank" rel="noopener">another posting</A>, and even turn it to my advantage.&nbsp; For example, that other posting is at&nbsp;</P><P><A href="https://community.isc2.org/t5/Tech-Talk/An-experiment-in-re-URLing/m-p/34471#M2902" target="_blank" rel="noopener">https://community.isc2.org/t5/Tech-Talk/An-experiment-in-re-URLing/m-p/34471#M2902</A></P><P>but you can also get it if you specify&nbsp;<A href="https://community.isc2.org/t5/T/A/m-p/34471" target="_blank" rel="noopener">https://community.isc2.org/t5/T/A/m-p/34471</A>.&nbsp; There are significant sections of the URL that really do nothing, and can be modified.&nbsp; As another example, the URL for this post is&nbsp;</P><P><A href="https://community.isc2.org/t5/Industry-News/Share-your-calls-Even-if-you-don-t-want-to/m-p/43945#M5337" target="_blank">https://community.isc2.org/t5/Industry-News/Share-your-calls-Even-if-you-don-t-want-to/m-p/43945#M5337</A></P><P>but you can also use&nbsp;</P><P><A href="https://community.isc2.org/t5/I/S/m-p/43945" target="_blank">https://community.isc2.org/t5/I/S/m-p/43945</A>, or even&nbsp;</P><P><A href="https://community.isc2.org/t5/something/somethingelse/m-p/43945" target="_blank">https://community.isc2.org/t5/something/somethingelse/m-p/43945</A>.&nbsp; In general, this is bad practice, since it can allow for misuse of the disregarded fields.&nbsp; I could, for example, imply that this posting came from the "Careers" section of the "community" by specifying&nbsp;</P><P><A href="https://community.isc2.org/t5/Career/Must-know/m-p/43945" target="_blank" rel="noopener">https://community.isc2.org/t5/Career/Must-know/m-p/43945</A>.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 12 Mar 2021 18:30:00 GMT rslade 2021-03-12T18:30:00Z https://community.isc2.org/t5/Industry-News/Share-your-calls-Even-if-you-don-t-want-to/m-p/43945#M5337 <P>An iPhone app, called Acr call recorder, allows you to record your phone calls.&nbsp; A lot of people find this handy.&nbsp; (I'm not quite sure why.&nbsp; When I'm done with a call, I've got notes and action items, but I don't need the whole call.&nbsp; But, to each his or her own ...)</P><P>&nbsp;</P><P>Well, apparently <A href="https://nakedsecurity.sophos.com/2021/03/11/how-confidential-are-your-calls-this-iphone-app-shared-them-with-everyone/" target="_blank" rel="noopener">it's quite insecure</A>.&nbsp; For one thing, it stores you calls in the cloud.&nbsp; For another, it uses no authentication when it retrieves them.&nbsp; It also uses insecure direct object referencing (IDOR), and so, with a little guesswork and experimentation, anybody can retrieve any calls at all from the system.</P><P>&nbsp;</P><P>By the way, the "community," for the most part, also uses IDOR.&nbsp; Now, most of the "community" is open to the world, so this is hardly a problem (or news), but I detailed some of it in <A href="https://community.isc2.org/t5/Tech-Talk/An-experiment-in-re-URLing/m-p/34471#M2902" target="_blank" rel="noopener">another posting</A>, and even turn it to my advantage.&nbsp; For example, that other posting is at&nbsp;</P><P><A href="https://community.isc2.org/t5/Tech-Talk/An-experiment-in-re-URLing/m-p/34471#M2902" target="_blank" rel="noopener">https://community.isc2.org/t5/Tech-Talk/An-experiment-in-re-URLing/m-p/34471#M2902</A></P><P>but you can also get it if you specify&nbsp;<A href="https://community.isc2.org/t5/T/A/m-p/34471" target="_blank" rel="noopener">https://community.isc2.org/t5/T/A/m-p/34471</A>.&nbsp; There are significant sections of the URL that really do nothing, and can be modified.&nbsp; As another example, the URL for this post is&nbsp;</P><P><A href="https://community.isc2.org/t5/Industry-News/Share-your-calls-Even-if-you-don-t-want-to/m-p/43945#M5337" target="_blank">https://community.isc2.org/t5/Industry-News/Share-your-calls-Even-if-you-don-t-want-to/m-p/43945#M5337</A></P><P>but you can also use&nbsp;</P><P><A href="https://community.isc2.org/t5/I/S/m-p/43945" target="_blank">https://community.isc2.org/t5/I/S/m-p/43945</A>, or even&nbsp;</P><P><A href="https://community.isc2.org/t5/something/somethingelse/m-p/43945" target="_blank">https://community.isc2.org/t5/something/somethingelse/m-p/43945</A>.&nbsp; In general, this is bad practice, since it can allow for misuse of the disregarded fields.&nbsp; I could, for example, imply that this posting came from the "Careers" section of the "community" by specifying&nbsp;</P><P><A href="https://community.isc2.org/t5/Career/Must-know/m-p/43945" target="_blank" rel="noopener">https://community.isc2.org/t5/Career/Must-know/m-p/43945</A>.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 12 Mar 2021 18:30:00 GMT https://community.isc2.org/t5/Industry-News/Share-your-calls-Even-if-you-don-t-want-to/m-p/43945#M5337 rslade 2021-03-12T18:30:00Z