Indian security researcher, Ehraz Ahmed found a critical flaw in the Truecaller app that may expose user data as well as device and location information.
Truecaller provides various useful features to its users like call-recording, call-blocking, call-identification, chat & video, etc.
Truecaller is one of the most popular smartphone app in India and it has over 500 Million downloads worldwide including iOS and Android. Also, it has over 150 Million daily active users, and 1 Million premium users worldwide.
According to a security researcher Ehraz Ahmed, the vulnerability existed in one of the APIs of the Truecaller app which allows hackers to insert a malicious link as the profile pic URL. Also, the user wouldn't differentiate this change as the profile pic URL is not shown publicly.
So, whenever a user (victim) visits the malicious link added profile which the attacker created on the Truecaller app, the malicious script gets executed and the user's sensitive information like device information, location information, and IP address gets collected without the user's consent.
If a user visits the malicious link added profile which the attacker created on the Truecaller app from the desktop then the user's browsers information gets collected without the user's consent.
Once the user's sensitive information gets collected, hackers use this information and perform various malicious activities like hackers can track users by using location information, hackers can perform DDoS (Distributed Denial-of-Service), and brute-force attacks by using IP address (scans for the open port).
As it was an API flaw, Truecaller's all versions affected including iOS, Android, and the Web.
Security researcher, Ehraz Ahmed also demonstrates the API flaw and shard the Proof-of-Concept (PoC) video.
Truecaller thanked the security researcher, Ehraz Ahmed for reporting the critical flaw to them, and immediately the flaw has been patched. However, some users are still using the older version of the Truecaller app.
It's a critical flaw and also affecting all versions of Truecaller applications so it is advisable to all the Truecaller users to update the app to the latest version.
As a result of this, Truecaller declared that they are launching a bug bounty program very soon and those security researchers who report flaws in its system will be rewarded by a good amount of money.
If you have any questions related to the critical Truecaller flaw and also want to share your views on this flaw then please mention in the comments box and I will get back to you.