An iPhone app, called Acr call recorder, allows you to record your phone calls.  A lot of people find this handy.  (I'm not quite sure why.  When I'm done with a call, I've got notes and action items, but I don't need the whole call.  But, to each his or her own ...)

Well, apparently it's quite insecure.  For one thing, it stores you calls in the cloud.  For another, it uses no authentication when it retrieves them.  It also uses insecure direct object referencing (IDOR), and so, with a little guesswork and experimentation, anybody can retrieve any calls at all from the system.

By the way, the "community," for the most part, also uses IDOR.  Now, most of the "community" is open to the world, so this is hardly a problem (or news), but I detailed some of it in another posting, and even turn it to my advantage.  For example, that other posting is at 

https://community.isc2.org/t5/Tech-Talk/An-experiment-in-re-URLing/m-p/34471#M2902

but you can also get it if you specify https://community.isc2.org/t5/T/A/m-p/34471.  There are significant sections of the URL that really do nothing, and can be modified.  As another example, the URL for this post is 

https://community.isc2.org/t5/Industry-News/Share-your-calls-Even-if-you-don-t-want-to/m-p/43945#M53...

but you can also use 

https://community.isc2.org/t5/I/S/m-p/43945, or even 

https://community.isc2.org/t5/something/somethingelse/m-p/43945.  In general, this is bad practice, since it can allow for misuse of the disregarded fields.  I could, for example, imply that this posting came from the "Careers" section of the "community" by specifying 

https://community.isc2.org/t5/Career/Must-know/m-p/43945.