Critical bug in Justdial exposed more than 156 million accounts

First discovered by security researcher Ehraz Ahmed and flagged by MoneyControl, the issue existed in the Justdial app and opened access to all accounts on the service.

This meant a hacker aware of the vulnerability would have been able to leverage it to break into anyone's Justdial account, steal their personal information (name/number/email), and use the services provided by Justdial on their name.

As the bug opened access to anyone's Justdial account, the financial data associated with Justdial Pay, the company's payment service, was also exposed.

However, luckily enough, it only exposed the balance and transactions made on Justdial Pay, not the payment or credit/debit card details of the users.

That information remains masked in payment services, including the one operated by Justdial.

According to Ahmed, the issue was detected in the Register API of Justdial -available across the web, mobile, and desktop - and can be exploited by entering a number in the username parameter.

He said, by entering the phone number this way, the service gave away an access token, system ID (SID) and user ID (UID), enabling direct access to the targeted account.

After Ahmed's disclosure and demonstration of the vulnerability, Justdial acknowledged the API bug but claimed that the issue has not been exploited to steal personal or financial data of the users.

"We at Justdial take security seriously," the company told MoneyControl, adding that the bug in question could have been exploited by an expert hacker but has been fixed now.