Caller identification company Truecaller’s ‘Guardians’ application launched last week that lets users share their live location with selected guardians on their phone book had a major vulnerability, which was fixed by the company hours after it was pointed out by Bengaluru-based security researcher Anand Prakash.
The ‘personal safety’ application includes an emergency button that notifies his or her selected contacts such as family members, with their real-time location details at the tap of a button during a crisis.
Prakash, founder of cybersecurity startup Pingsafe noted that it was possible for a potential attacker to login into a victim’s account by just using their phone number. Following this, the attacker was able to take full control over the account and data associated with it, including the live locations of the guardians or emergency contacts, the victim’s date of birth and profile picture he said.
The Guardian app was launched on March 3 and currently has over 100,000 downloads on Playstore.
The researcher informed Truecaller on March 4, and it was fixed on the same day. The vulnerability was possible due to a basic API error he said. When there are problems with the application programming interfaces (APIs) it is possible to access data within websites and software that are not normally openly accessible.
“When it got launched, I immediately started looking through the app. Within a few minutes, I was able to discover this issue on the app. I selected the ‘Login API’ on the app and put in someone else’s phone number and was able to log in to the person’s account. We replicated this issue on other numbers and reported it to Truecaller. They acknowledged it and we got a confirmation saying the issue had been fixed,” said Prakash.
Prakash categorised the problem as an “Insecure Direct Object Reference” vulnerability in technology parlance.
“Companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers’ privacy and lead to companies’ revenue losses,” he said.
In response to ET’s queries, a spokesperson for Truecaller confirmed that the vulnerability was fixed.
“We care a lot about security at Guardians and we welcome any comments or suggestions for improvements. On occasion, security researchers like Anand Prakash reach out to us if they spot something amiss and we make sure to verify every such submission very carefully. In this case, the issue pointed out by Anand was due to a development configuration being rolled out by mistake during the launch phase.”
The spokesperson added, “Our engineers were already rolling out a fix at the time of his submission to ensure user safety. We routinely conduct extensive testing to make sure our users are safe and their data secured, however, we would also like to thank Anand for reaching out proactively.”