Last week, Truecaller launched an application called Guardians to share your location and other important safety information with your family.
However, the app had a big bug during its launch that enabled hackers to control user accounts fully. Anand Prakash, who identified the vulnerability, informed on Thursday Truecaller and was fixed that same day.
The application for ‘personal security’ comes with an emergency button to notify your selected contacts, like families, of your real-time position details by pressing a button during a crisis.
Prakash categorised the problem as an “Insecure Direct Object Reference” vulnerability in technology parlance.
Cybersecurity startup founder, Prakash, noted that a potential attacker could log into a victim’s account with his telephone number only. Following this, the attacker was able to take full control over the account and data associated with it, including the live locations of the guardians or emergency contacts, the victim’s date of birth and profile picture he said.
In cases of APIs, it is possible to access data inside sites and software that are not usually publicly accessible. If the application is not available, it can be accessed.
The Guardian app started on March 3rd and now has more than 100,000 Playstore downloads.
In a statement, Truecaller said that this bug was a development configuration, but made it to the final roll out by mistake:
“Our engineers were already rolling out a fix at the time of his submission to ensure user safety. We routinely conduct extensive testing to make sure our users are safe and their data secured, however, we would also like to thank Anand for reaching out proactively”
Fortunately, there were no leaked account data. However, this is a dangerous bug that places user data at great risk for an application that focuses on privacy.