[BreachExchange] Vulnerability Hit Truecaller App Potentially Affecting Millions Of Users

Destry Winant destry at riskbasedsecurity.com
Tue Nov 26 10:05:54 EST 2019


https://latesthackingnews.com/2019/11/25/vulnerability-hit-truecaller-app-potentially-affecting-millions-of-users/

The popular call-blocking application Truecaller has recently made it
to the news due to a security flaw. A researcher discovered a serious
vulnerability in the Truecaller app that could have threatened the
security of millions of users. Truecaller App Vulnerability Indian
security researcher Ehraz Ahmed found a critical vulnerability in the
Truecaller app. Specifically, the vulnerability allowed a user to
plant a URL into the profile picture. Hence, a potential attacker
could exploit the flaw to inject a malicious URL to the profile
picture. As a result, anyone clicking on the profile would fall a
victim to the attack.

According to Forbes, Ahmed told, The flaw allows an attacker to inject
his malicious link as the profile URL. The user viewing the attacker’s
profile by search or through a popup gets exploited.

The researcher revealed that such attacks could allow the attacker to
extract numerous details about the user. This includes fetching the
victim’s IP address, user-agent and time without them knowing.

He has also shared a POC of the exploit demonstrating how an attacker
could fetch victim’s information.

Patch Now
After finding the bug, the researcher swiftly informed Truecaller
about the matter before going public. Consequently, Truecaller patched
the flaw in the app’s API and has released the fix. As per their
statement to Forbes,
It was recently brought to our attention that there was a small bug in
our app services which allowed the modification of one’s own profile
in an unintended way. We thank the security researcher for bringing
this to our notice and collaborating with us. The bug was immediately
fixed.

Since it’s a critical bug affecting all Truecaller applications, users
must ensure they update their devices with the latest patched
versions.

Alongside the fix, Truecaller has also disclosed its plans to announce
a bug bounty program soon.


More information about the BreachExchange mailing list