Viral Call-recording App Neon Goes Dark After Exposing Users’ Phone Numbers, Call Recordings, And Transcripts

A viral app called Neon, which offers to grounds your telephone calls and salary you for nan audio truthful it tin waste that information to AI companies, has quickly risen to nan ranks of nan top-five free iPhone apps since its motorboat past week.

The app already has thousands of users and was downloaded 75,000 times yesterday alone, according to app intelligence supplier Appfigures. Neon pitches itself arsenic a measurement for users to make by providing telephone recordings that thief train, improve, and trial AI models.

But now Neon has gone offline, astatine slightest for now, aft a information flaw allowed anyone to entree nan telephone numbers, telephone recordings, and transcripts of immoderate different user, TechCrunch tin now report.

TechCrunch discovered nan information flaw during a short trial of nan app connected Thursday. We alerted nan app’s founder, Alex Kiam (who antecedently did not respond to a petition for remark astir nan app), to nan flaw soon aft our discovery. 

Kiam told TechCrunch later Thursday that he took down nan app’s servers and began notifying users astir pausing nan app, but fell short of informing his users astir nan information lapse.

 The Neon app stopped functioning soon aft we contacted Kiam.

Call recordings and transcripts exposed

At responsibility was nan truth that nan Neon app’s servers were not preventing immoderate logged-in personification from accessing personification else’s data.

TechCrunch created a caller personification relationship connected a dedicated iPhone and verified a telephone number arsenic portion of nan sign-up process. We utilized a web postulation study instrumentality called Burp Suite to inspect nan web information flowing successful and retired of nan Neon app, allowing america to understand really nan app useful astatine a method level, specified arsenic really nan app communicates pinch its back-end servers.

After making immoderate trial telephone calls, nan app showed america a database of our astir caller calls and really overmuch money each telephone earned. But our web study instrumentality revealed specifications that were not visible to regular users successful nan Neon app. These specifications included nan text-based transcript of nan telephone and a web reside to nan audio files, which anyone could publically entree arsenic agelong arsenic they had nan link.

For example, present you tin spot nan transcript from our trial telephone betwixt 2 TechCrunch reporters confirming that nan signaling worked properly.

Image Credits:TechCrunch

But nan backend servers were besides tin of spitting retired reams of different people’s telephone recordings and their transcripts.

In 1 case, TechCrunch recovered that nan Neon servers could nutrient information astir nan astir caller calls made by nan app’s users, arsenic good arsenic providing nationalist web links to their earthy audio files and nan transcript matter of what was said connected nan call. (The audio files incorporate recordings of conscionable those who installed Neon, not those they contacted.)

Similarly, nan Neon servers could beryllium manipulated to uncover nan astir caller telephone records (also known arsenic metadata) from immoderate its users. This metadata contained nan user’s telephone number and nan telephone number of nan personification they’re calling, erstwhile nan telephone was made, its duration, and really overmuch money each telephone earned.

A reappraisal of a fistful of transcripts and audio files suggests immoderate users whitethorn beryllium utilizing nan app to make lengthy calls that covertly grounds real-world conversations pinch different group successful bid to make money done nan app.

App shuts down, for now

Soon aft we alerted Neon to nan flaw connected Thursday, nan company’s founder, Kiam, sent retired an email to customers alerting them to nan app’s shutdown. 

“Your information privateness is our number 1 priority, and we want to make judge it is afloat unafraid moreover during this play of accelerated growth. Because of this, we are temporarily taking nan app down to adhd other layers of security,” nan email, shared pinch TechCrunch, reads.

Notably, nan email makes nary mention of a information lapse aliases that it exposed users’ telephone numbers, telephone recordings, and telephone transcripts to immoderate different personification who knew wherever to look.

It’s unclear erstwhile Neon will travel backmost online aliases whether this information lapse will summation nan attraction of nan app stores. 

Apple and Google person not yet responded to TechCrunch’s requests for remark astir whether aliases not Neon was compliant pinch their respective developer guidelines. 

However, this would not beryllium nan first clip that an app pinch superior information issues has made it onto these app marketplaces. Recently, a celebrated mobile making love companion app, Tea, knowledgeable a information breach, which exposed its users’ individual accusation and government-issued personality documents. Popular apps for illustration Bumble and Hinge were caught successful 2024 exposing their users’ locations. Both stores besides person to regularly purge malicious apps that gaffe past their app reappraisal processes. 

When asked, Kiam did not instantly opportunity if nan app had undergone immoderate information reappraisal up of its launch, and if so, who performed nan review. Kiam besides did not say, erstwhile asked, if nan institution has nan method means, specified arsenic logs, to find if anyone other recovered nan flaw earlier america aliases if immoderate personification information was stolen.

TechCrunch additionally reached retired to Upfront Ventures and Xfund, which Kiam claims successful a LinkedIn post person invested successful his app. Neither patient has responded to our requests for remark arsenic of publication.