[BreachExchange] Over 100 Million JustDial Users' Personal Data Found Exposed On the Internet

Thu Apr 18 10:10:01 EDT 2019

https://thehackernews.com/2019/04/justdial-hacked-data-breach.html

An unprotected database belonging to JustDial, India's largest local
search service, is leaking personally identifiable information of its
every customer in real-time who accessed the service via its website,
mobile app, or even by calling on its fancy "88888 88888" customer
care number, The Hacker News has learned and independently verified.

Founded over two decades ago, JustDial (JD) is the oldest and leading
local search engine in India that allows users to find relevant nearby
providers and vendors of various products and services quickly while
helping businesses listed in JD to market their offerings.

Rajshekhar Rajaharia, an independent security researcher, yesterday
contacted The Hacker News and shared details of how an unprotected,
publicly accessible API endpoint of JustDial's database can be
accessed by anyone to view profile information of over 100 million
users associated with their mobile numbers.

The leaked data includes JustDial users' name, email, mobile number,
address, gender, date of birth, photo, occupation, company name they
are working with—basically whatever profile related information a
customer ever provided to the company.

Though the unprotected APIs exist since at least mid-2015, it's not
clear if anyone has misused it to gather personal information on
JustDial users.

Justdial is Leaking Personal Details Of All Customers

After verifying the leaky endpoint, The Hacker News also wanted to
verify if the API is fetching results directly from the production
server or from a backup database that might not have information
belonging to recently signed-up users.
To find this, I provided Rajshekhar a new phone number that was never
before registered with Justdial server, which he confirmed was not
listed in the database at that time.

Instead of installing and using the JD app or its website, I then
simply called the customer care number and shared a random name and
personal details with the executive to learn a few good restaurants in
my city.

Immediately after completing the call, Rajshekhar sent me the profile
details I shared with the JD executive associated with the same phone
number that was previously not found in the database, indicating that
the unprotected API is fething real-time information of users.
Although the unprotected API is connected to the primary JD database,
Rajshekhar revealed that it's an old API endpoint which is not
currently being used by the company but left forgotten on the server.

Rajshekhar told The Hacker News that he discovered this unprotected
end-point while pentesting the latest APIs in use, which are
apparently protected and using authentication measures.

Besides this, Rajshekhar also found a few other old unprotected APIs,
one of which could allow anyone to trigger OPT request for any
registered phone number, which might not be a serious security issue,
but could be used for spamming users and costing the company.

Rajshekhar also claimed that he tried to contact the company to
responsibly disclose his findings, but unfortunately failed to find
any direct way to contact the company and report the incident.

The Hacker News has also dropped an email to a few email addresses,
linked to the company, we found on the Internet, providing the details
of the incident. We will update this report when we hear back. Stay
Tuned.