Neon Call Recording App Pulled After Serious Flaw

Neon, a fast-growing call recording app that, controversially, automatically transcribes recorded calls for its users and lets them share those conversations, was leaking data on the web in such a way that it allowed anyone to access thousands of call recordings. The flaw did let people who were logged into the app look at recordings, transcripts and, in some cases, phone numbers of unrelated accounts — which is why it was immediately shut down for a fix and audit before saying that it would relaunch once work on fixes and an audit was complete.

The problem was discovered during independent testing by TechCrunch, which revealed that Neon’s backend did not implement proper access controls. In practice, that meant a logged-in user could access other people’s call metadata, the text of transcriptions and even URLs associated with audio files just by querying the right endpoints — no special permissions needed.

The takedown was confirmed by developer Alex Kiam, who reassured users that the balances are still there but cash-outs and calls have been frozen while the team patches the vulnerability and undertakes a broader security audit. There are plans for a relaunch in the short term after repair and validation.

What Went Wrong: Broken Access Control Exposed Data

The evidence points to a typical broken access control issue, which frequently manifests as an insecure direct object reference. If an app opens up call object identifiers, and if it does not strictly enforce checking the identity of the caller on a request-by-request basis for each object, we end up with cross-tenant data exposure. This is often made worse in consumer apps by the addition of cloud storage link sharing which isn’t a shared secret (pants) and/or which has too little scope applied to it with respect to a user and their session.

The Open Web Application Security Project places Broken Access Control at the very top of its OWASP Top 10 — and that’s not by mistake; it is prevalent, and damage is often substantial. Aside from encryption at rest — and recording is certainly no exception — products dealing with access-controlled audio require per-request authorization checks, expiration and signature of URLs when serving media assets, and rigid separation between user data to avert the danger of enumeration or token reuse.

Inside Neon’s Pay-to-Share Model and How It Works

Released for iOS and Android, Neon remunerates users for calls conducted through its dialer, with the sales pitch that the recordings are used as training data for AI companies. The app has advertised in-app earnings of 30 cents a minute for calls with other Neon users versus 15 cents a minute for calls with non-users, at up to $30 per day plus additional referral rewards. Neon says that it anonymizes recordings by removing names, numbers, and other personal details before selling them to vetted partners.

Privacy researchers have long warned that “de-identified” audio and text is still subject to leakage of sensitive data, through voice characteristics, phrasing, and context. NIST’s de-identification guidance emphasizes the fact that effectiveness is highly situational and must be supplemented with strong access controls and governance. Strong anonymization claims are irrelevant, in other words, when basic authorization fails.

Why the Exposure Matters for Users and Businesses

Phone numbers and call transcripts are prime targets. They can be employed to create effective phishing, impersonation, and social engineering attacks and contain sensitive personal or business information. IBM’s most recent Cost of a Data Breach report benchmarked the global average for breach cost at around $4.9 million, fueled by factors such as incident response, regulatory exposure and customer churn — benchmarks that tick up when audio or health-adjacent data becomes part of the equation.

For a service premised on the monetization of human conversation, credibility rests on supercilious security. And when the user base loses faith that recordings kept on servers will be private, or that one’s ostensibly “anonymized” data can’t be trivially traced back to them, growth stops and downstream AI customers run for the hills lest they face reputational disaster.

Legal and Compliance Pressures Facing Call Recorders

Call recording is at the intersection of wiretapping law and data protection law. Consent requirements are highly disparate; at one extreme, laws such as those in California, Pennsylvania, and Washington require all-party consent. If recordings or transcripts became available beyond those intended to hear them, issues of consent and lawful processing might arise under laws such as the CCPA and GDPR, in addition to regulatory focus on unfair or deceptive practices.

Security-by-design sure sounds like just another best-practice guideline, but in fact it is rapidly becoming an expectation in standards such as GDPR and the upcoming California Consumer Privacy Act.

Framework guidelines such as ISO 27001 and NIST focus on strong access control, least privilege, and continuous monitoring — policies that could have lessened the impact of this attack.

What Should I Do Now to Protect My Data and Phone

For now, users should assume that if call data is disclosed, the content may likely have been as well until Neon comes back with the verified fixes. Common-sense steps should include the following:

• Revoke the app’s permissions.
• Uninstall the app.
• Watch for targeted phishing or scam calls that could use details inferred from recent conversations.

Users can also take actions on data rights in relation to recordings where applicable, including the ability to request deletion of stored recordings and transcripts.

If a number linked to the account is receiving security alarms because of suspicious activity, consider activating call filtering and multi-factor authentication on any linked services to blunt downstream risk.

What It Will Take to Relaunch Safely and Restore Trust

An honorable return will take more than merely patching up. Anticipate a formal postmortem, third-party security testing, and proof of hardened APIs with powerful authorization checks. Short-lived, per-user media links, extensive audit logging, rate limiting, and tenant isolation are table stakes. Putting in place a public bug bounty or vulnerability disclosure program via a reputable platform would also go a long way toward rebuilding trust.

The model behind Neon — rewarding people for the economic value of their conversations — strikes a chord in a data-driven economy. But when your product is, quite literally, your voice, the margin of error is approximately zero. How quickly and transparently the fix is made, and how vigorous the controls put in place around such details are will be the real test of whether Neon can earn that trust back.