Critical Truecaller flaw risked user IP addresses, location
Popular caller-identity service Truecaller has fixed a major security loophole in its system. The flaw, which comes a few months after the issue that signed up users automatically for UPI, tied to an API and opened a way to harvest IP addresses and location data of users. Here's all you need to know about it.
API flaw detected in Truecaller
First flagged by Bengaluru-based researcher Ehraz Ahmed, the bug in question existed in an API (application programming interface) of the Truecaller app. Ahmed said the issue opened a way for threat actors to replace the URL of a Truecaller user's profile picture with a malicious link, which could then steal IP address, location, and device or browser details of people opening the infected profile.
You wouldn't even have realized an attack
"Whenever a user views the attacker's profile on Truecaller -- either by doing a search or tapping the pop-up from a call, the custom script gets executed and user's IP address gets recorded," Ahmed said, adding that most people wouldn't even see this attack coming.
Bug could have also led to brute-force, DDoS attacks
Along with the location of people opening infected profiles, the API flaw could have been used by attackers to scan for open ports and carry out brute-force and DDoS (distributed denial of service) attacks, Ahmed stated. Plus, as the issue existed in the API, it affected all Truecaller products, starting from the Android and iOS apps to the main website.
Now, a fix has been issued
Ahmed demonstrated the impact of the bug in a proof-of-concept study, accompanied by a video, shared with Gadgets360. Then, after the outlet contacted Truecaller, the company acknowledged the issue at hand and issued a fix for the same. Notably, the company also added that it is planning to launch a bug bounty program to reward researchers flagging vulnerabilities in its products.
Here's what the company said after fixing the issue
"There was a small bug in our app services which allowed the modification of one's own profile in an unintended way," Truecaller said. "We thank the security researcher for bringing this to our notice and collaborating with us. The bug was immediately fixed."