Skip to main content

Truecaller Flaw — Let Hackers Access User Data & Location Information


Indian security researcher, Ehraz Ahmed found a critical flaw in the Truecaller app that may expose user data as well as device and location information.

Truecaller provides various useful features to its users like call-recording, call-blocking, call-identification, chat & video, etc.
 
Truecaller is one of the most popular smartphone app in India and it has over 500 Million downloads worldwide including iOS and Android. Also, it has over 150 Million daily active users, and 1 Million premium users worldwide.

According to a security researcher Ehraz Ahmed, the vulnerability existed in one of the APIs of the Truecaller app which allows hackers to insert a malicious link as the profile pic URL. Also, the user wouldn't differentiate this change as the profile pic URL is not shown publicly.

So, whenever a user (victim) visits the malicious link added profile which the attacker created on the Truecaller app, the malicious script gets executed and the user's sensitive information like device information, location information, and IP address gets collected without the user's consent.
 
If a user visits the malicious link added profile which the attacker created on the Truecaller app from the desktop then the user's browsers information gets collected without the user's consent.
 
Once the user's sensitive information gets collected, hackers use this information and perform various malicious activities like hackers can track users by using location information, hackers can perform DDoS (Distributed Denial-of-Service), and brute-force attacks by using IP address (scans for the open port). 

As it was an API flaw, Truecaller's all versions affected including iOS, Android, and the Web. 

Security researcher, Ehraz Ahmed also demonstrates the API flaw and shard the Proof-of-Concept (PoC) video. 


Truecaller thanked the security researcher, Ehraz Ahmed for reporting the critical flaw to them, and immediately the flaw has been patched. However, some users are still using the older version of the Truecaller app.

It's a critical flaw and also affecting all versions of Truecaller applications so it is advisable to all the Truecaller users to update the app to the latest version.

As a result of this, Truecaller declared that they are launching a bug bounty program very soon and those security researchers who report flaws in its system will be rewarded by a good amount of money.

If you have any questions related to the critical Truecaller flaw and also want to share your views on this flaw then please mention in the comments box and I will get back to you.
Labels:

Comments

Post a Comment

Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool
75 comments
Read more

How To Enable WhatsApp Fingerprint Lock Feature on Android

WhatsApp has officially rolled out the fingerprint lock feature for all the Android users. Most of you may already have been doing it for the last few years with the help of third-party app lockers for adding more security. Keeping that in mind and to make the process quicker and safer at the same time, WhatsApp has now launched this new fingerprint lock feature so that you can open the app by your fingerprint. It means that regardless of whether the phone is opened, others won't have the option to gain access to the messages without your fingerprint. So, you can now secure your WhatsApp conversations with an extra layer of biometric security . With this step, WhatsApp is finally offering biometric authentication to the Android app, while iPhone users enjoying both the Touch ID that is the fingerprint recognition and Face ID that is the facial recognition since the month of February 2019. WhatsApp is also giving more options with the new fingerprint lock featur
46 comments
Read more

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik
62 comments
Read more