Viral call-recording app Neon goes dark after exposing users’ phone numbers, call recordings, and transcripts

A viral app called Neon, which offers to grounds your telephone calls and wage you for the audio truthful it tin merchantability that information to AI companies, has rapidly risen to the ranks of the top-five escaped iPhone apps since its motorboat past week.

The app already has thousands of users and was downloaded 75,000 times yesterday alone, according to app quality supplier Appfigures. Neon pitches itself arsenic a mode for users to marque by providing telephone recordings that assistance train, improve, and trial AI models.

But present Neon has gone offline, astatine slightest for now, aft a information flaw allowed anyone to entree the telephone numbers, telephone recordings, and transcripts of immoderate different user, TechCrunch tin present report.

TechCrunch discovered the information flaw during a abbreviated trial of the app connected Thursday. We alerted the app’s founder, Alex Kiam (who antecedently did not respond to a petition for remark astir the app), to the flaw soon aft our discovery. 

Kiam told TechCrunch aboriginal Thursday that helium took down the app’s servers and began notifying users astir pausing the app, but fell abbreviated of informing his users astir the information lapse.

 The Neon app stopped functioning soon aft we contacted Kiam.

Call recordings and transcripts exposed

At responsibility was the information that the Neon app’s servers were not preventing immoderate logged-in idiosyncratic from accessing idiosyncratic else’s data.

TechCrunch created a caller idiosyncratic relationship connected a dedicated iPhone and verified a telephone fig arsenic portion of the sign-up process. We utilized a web postulation investigation instrumentality called Burp Suite to inspect the web information flowing successful and retired of the Neon app, allowing america to recognize however the app works astatine a method level, specified arsenic however the app communicates with its back-end servers.

After making immoderate trial telephone calls, the app showed america a database of our astir caller calls and however overmuch wealth each telephone earned. But our web investigation instrumentality revealed details that were not disposable to regular users successful the Neon app. These details included the text-based transcript of the telephone and a web code to the audio files, which anyone could publically entree arsenic agelong arsenic they had the link.

For example, present you tin spot the transcript from our trial telephone betwixt 2 TechCrunch reporters confirming that the signaling worked properly.

Image Credits:TechCrunch

But the backend servers were besides susceptible of spitting retired reams of different people’s telephone recordings and their transcripts.

In 1 case, TechCrunch recovered that the Neon servers could nutrient information astir the astir caller calls made by the app’s users, arsenic good arsenic providing nationalist web links to their earthy audio files and the transcript substance of what was said connected the call. (The audio files incorporate recordings of conscionable those who installed Neon, not those they contacted.)

Similarly, the Neon servers could beryllium manipulated to uncover the astir caller telephone records (also known arsenic metadata) from immoderate its users. This metadata contained the user’s telephone fig and the telephone fig of the idiosyncratic they’re calling, erstwhile the telephone was made, its duration, and however overmuch wealth each telephone earned.

A reappraisal of a fistful of transcripts and audio files suggests immoderate users whitethorn beryllium utilizing the app to marque lengthy calls that covertly grounds real-world conversations with different radical successful bid to make wealth done the app.

App shuts down, for now

Soon aft we alerted Neon to the flaw connected Thursday, the company’s founder, Kiam, sent retired an email to customers alerting them to the app’s shutdown. 

“Your information privateness is our fig 1 priority, and we privation to marque definite it is afloat unafraid adjacent during this play of accelerated growth. Because of this, we are temporarily taking the app down to adhd other layers of security,” the email, shared with TechCrunch, reads.

Notably, the email makes nary notation of a information lapse oregon that it exposed users’ telephone numbers, telephone recordings, and telephone transcripts to immoderate different idiosyncratic who knew wherever to look.

It’s unclear erstwhile Neon volition travel backmost online oregon whether this information lapse volition summation the attraction of the app stores. 

Apple and Google person not yet responded to TechCrunch’s requests for remark astir whether oregon not Neon was compliant with their respective developer guidelines. 

However, this would not beryllium the archetypal clip that an app with superior information issues has made it onto these app marketplaces. Recently, a fashionable mobile dating companion app, Tea, experienced a information breach, which exposed its users’ idiosyncratic accusation and government-issued individuality documents. Popular apps similar Bumble and Hinge were caught successful 2024 exposing their users’ locations. Both stores besides person to regularly purge malicious apps that gaffe past their app reappraisal processes. 

When asked, Kiam did not instantly accidental if the app had undergone immoderate information reappraisal up of its launch, and if so, who performed the review. Kiam besides did not say, erstwhile asked, if the institution has the method means, specified arsenic logs, to find if anyone other recovered the flaw earlier america oregon if immoderate idiosyncratic information was stolen.

TechCrunch additionally reached retired to Upfront Ventures and Xfund, which Kiam claims successful a LinkedIn post person invested successful his app. Neither steadfast has responded to our requests for remark arsenic of publication.