JustDial Purges Itself Of Bug Granting User Access To Hackers

JustDial Purges Itself Of Bug Granting User Access To Hackers

SUMMARY

Incident exposed personal account details of over 156 Mn users

The bug was fixed within a day from its discovery

Cybersecurity researcher, Ehraz Ahmed was the first to report the bug

In a major incident of a security breach, Indian hyperlocal search engine JustDial was found to contain a security flaw, through which a user account could potentially be hacked. The incident exposed personal account details of over 156 Mn users. However, the company managed to rectify the bug within a day of its realisation. 

According to a media report, Ehraz Ahmed, a cybersecurity researcher, took to YouTube to highlight the vulnerability in JustDial’s mobile application. He further brought out in a blog post that one of its internal APIs potentially allowed a hacker to log in to a user account bypassing the phone number verification. 

Talking about how hackers and telemarketers can mine the data of JustDial, Ahmed wrote that by automating a script by using a dump phone number that can be easily found online, JustDial’s data could be accessed. 

The script could then return an access token, system ID (SID), as well as the user ID (UID). The SID is the key for various accounts of the users and its unauthorised access can make all the user data vulnerable. Also, accessing the UID will grant the user access to hackers using which it can post on the user’s profile. 

“The hackers can also access your Justdial Pay account and receive funds on your behalf by entering their bank account information in the Bank Details Settings, but they cannot transfer the funds as it requires them to have access to your bank account/UPI code,” Ahmed added.

While acknowledging the vulnerability, in a BSE filing, the Mumbai-based company clarified that user data could potentially be accessed by an expert hacker to gather basic user information. The company added that the flaw had been fixed and no theft of data or financial loss to the company, its users or customers has been reported. 

Inc42 has reached out to Justdial. The copy will be updated if and when they revert.

Increasing Security Breaches in JustDial 

Earlier in April 2019, an independent security researcher Rajshekhar Rajaharia detected a major security loophole in Justdial’s database. The loophole had exposed the Justdial’s database of over 100 Mn users. 

Four days after the Rajaharia’s public post and multiple failed attempts on his part to connect with Justdial, Inc42 reported the data leak of Justdial 100Mn users’ database on April 16. This loophole was fixed by the company after a week of Rajaharia’s public post.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

JustDial Purges Itself Of Bug Granting User Access To Hackers-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

JustDial Purges Itself Of Bug Granting User Access To Hackers-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

JustDial Purges Itself Of Bug Granting User Access To Hackers-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

JustDial Purges Itself Of Bug Granting User Access To Hackers-Inc42 Media
JustDial Purges Itself Of Bug Granting User Access To Hackers-Inc42 Media
You’re in Good company