In late September 2025, the call-recording app Neon shot to the top of the Apple App Store—reaching the No. 2 spot in the United States—by offering to pay users for recorded calls and reselling those recordings and transcripts to AI companies. Days after the surge, a critical access-control flaw discovered during media testing allowed authenticated users to access other people’s phone numbers, audio files, and transcripts. Following disclosure, Neon was temporarily taken offline.
Monetization model, rapid growth, and AI training data
According to Neon Mobile’s own materials, the app paid users $0.30 per minute for Neon-to-Neon calls and up to $30 per day for conversations with non‑Neon contacts, supported by a referral program. The company marketed recorded audio and text transcripts to AI firms for model training and evaluation. Appfigures reported over 75,000 installs on September 24, 2025, propelling Neon into the top five of the Social Networking category and helping it reach No. 2 overall in the U.S. App Store rankings.
TechCrunch finds Broken Access Control (IDOR) in Neon’s backend
During testing, TechCrunch created a fresh Neon account on a separate iPhone, verified the phone number, and analyzed network traffic with Burp Suite. The probe identified Broken Access Control—specifically an Insecure Direct Object Reference (IDOR)—where the server failed to enforce object‑level authorization checks. In practice, this meant any logged‑in user could request and receive other users’ resources.
What was exposed: phone numbers, audio, transcripts, and payouts
The application’s responses included direct URLs to call audio and their transcripts, which were accessible via link. The backend also returned recent call lists for arbitrary users, including both parties’ phone numbers, timestamps, call durations, and the payout amount per recording. In some instances, recordings appeared to capture the Neon user rather than their counterpart, compounding third‑party privacy risks for individuals who never opted in.
Risk analysis: why IDOR remains the top web app threat
OWASP classifies Broken Access Control as the top risk in the OWASP Top 10 (A01:2021) because missing or weak authorization checks routinely expose sensitive objects—files, records, and personal data—to unauthorized parties. In Neon’s case, the exposure combined personal identifiers (phone numbers) with highly sensitive content (voice and transcripts), heightening risks of social engineering, phishing, extortion, and doxing. Voice content also carries potential biometric and psychological profiling concerns.
Similar API access‑control failures have affected consumer applications before, underscoring how common and impactful IDOR can be. Industry guidance such as OWASP’s Top 10 and NIST SP 800‑53 (AC controls) emphasize strict object‑level authorization and least privilege. The Verizon Data Breach Investigations Report regularly cites web application weaknesses and misconfigurations as leading breach vectors, reinforcing that this class of flaw is a persistent and material risk.
Vendor response and open questions on security assurance
Co‑founder Alex Kiam disabled Neon’s servers after receiving the findings and notified users that operations were paused to “add additional layers of security.” The message did not name the specific vulnerability. Neon did not clarify whether any independent security assessment took place prior to launch or whether logs exist to determine the scope of unauthorized access. A timeline for restoration remains unknown. Apple and Google did not respond to questions about the app’s compliance with marketplace policies.
Preventing a repeat: access control, secure media delivery, and isolation
Engineering defenses should prioritize object‑level authorization (ACL/ABAC), strict ownership checks before serving resources, and the principle of least privilege. Media should not be exposed via open, static links; instead, use short‑lived, signed URLs that require re‑authentication and are scoped to the requesting principal. Apply data segmentation and tenant isolation to prevent cross‑account data leakage.
Secure SDLC and continuous assurance
Embed security into the SDLC: conduct threat modeling, add unit/integration tests specifically for unauthorized object access, and run regular SAST/DAST, API design reviews, penetration tests, and a bug bounty. Enable centralized logging and anomaly detection to catch mass enumeration or large downloads, and implement rate limiting. Encrypt data in transit and at rest, while recognizing that encryption cannot compensate for missing authorization. For products handling voice and transcripts, adopt privacy‑by‑design and explicit, transparent consent mechanisms.
The Neon incident illustrates how growth‑driven monetization—especially when trading in intimate data like speech—demands rigorous access control and independent security testing from day one. Users should scrutinize apps that monetize personal data, restrict permissions, and revoke access when uncertain. Developers and product leaders should treat authorization as a critical path requirement, not a post‑launch enhancement.
