diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/VoiceVerificationController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/VoiceVerificationController.java
index d1054b514..3c16666c6 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/VoiceVerificationController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/VoiceVerificationController.java
@@ -5,6 +5,11 @@
 
 package org.whispersystems.textsecuregcm.controllers;
 
+import java.util.Collections;
+import java.util.List;
+import java.util.Locale.LanguageRange;
+import java.util.Set;
+import java.util.stream.Collectors;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
@@ -12,8 +17,7 @@ import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-import java.util.List;
-import java.util.Set;
+import org.whispersystems.textsecuregcm.util.Util;
 
 @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
 @Path("/v1/voice/")
@@ -46,6 +50,8 @@ public class VoiceVerificationController {
       "    <Play>%s</Play>\n" +
       "</Response>";
 
+  private static final String DEFAULT_LOCALE = "en-US";
+
 
   private final String      baseUrl;
   private final Set<String> supportedLocales;
@@ -65,19 +71,22 @@ public class VoiceVerificationController {
       return Response.status(400).build();
     }
 
-    for (final String locale : locales) {
-      if (locale != null && supportedLocales.contains(locale)) {
-        return getLocalizedDescription(code, locale);
-      }
+    if (locales == null) {
+      locales = Collections.emptyList();
     }
 
-    for (final String locale : locales) {
-      if (locale != null && locale.split("-").length >= 1 && supportedLocales.contains(locale.split("-")[0])) {
-        return getLocalizedDescription(code, locale.split("-")[0]);
-      }
+    final List<LanguageRange> priorityList;
+    try {
+      priorityList = locales.stream()
+          .map(LanguageRange::new)
+          .collect(Collectors.toList());
+    } catch (final IllegalArgumentException e) {
+      return Response.status(400).build();
     }
 
-    return getLocalizedDescription(code, "en-US");
+    final String localeMatch = Util.findBestLocale(priorityList, supportedLocales).orElse(DEFAULT_LOCALE);
+
+    return getLocalizedDescription(code, localeMatch);
   }
 
   private Response getLocalizedDescription(String code, String locale) {
diff --git a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/VoiceVerificationControllerTest.java b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/VoiceVerificationControllerTest.java
index 29e427221..c0b8d92fa 100644
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/VoiceVerificationControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/VoiceVerificationControllerTest.java
@@ -5,7 +5,15 @@
 
 package org.whispersystems.textsecuregcm.tests.controllers;
 
+import static org.assertj.core.api.Assertions.assertThat;
+
 import com.google.common.collect.ImmutableSet;
+import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
+import io.dropwizard.testing.FixtureHelpers;
+import io.dropwizard.testing.junit.ResourceTestRule;
+import java.util.Arrays;
+import java.util.HashSet;
+import javax.ws.rs.core.Response;
 import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory;
 import org.junit.Rule;
 import org.junit.Test;
@@ -16,15 +24,6 @@ import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.tests.util.AuthHelper;
 import org.whispersystems.textsecuregcm.util.SystemMapper;
 
-import javax.ws.rs.core.Response;
-import java.util.Arrays;
-import java.util.HashSet;
-
-import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
-import io.dropwizard.testing.FixtureHelpers;
-import io.dropwizard.testing.junit.ResourceTestRule;
-import static org.assertj.core.api.Assertions.assertThat;
-
 public class VoiceVerificationControllerTest {
 
   @Rule
@@ -125,7 +124,18 @@ public class VoiceVerificationControllerTest {
                  .post(null);
 
     assertThat(response.getStatus()).isEqualTo(400);
+
   }
 
+  @Test
+  public void testTwimlMalformedLocale() {
+    Response response =
+        resources.getJerseyTest()
+            .target("/v1/voice/description/123456")
+            .queryParam("l", "it IT ,")
+            .request()
+            .post(null);
 
+    assertThat(response.getStatus()).isEqualTo(400);
+  }
 }