In a major incident of a security breach, Indian hyperlocal search engine JustDial was found to contain a security flaw, through which a user account could potentially be hacked. The incident exposed personal account details of over 156 Mn users. However, the company managed to rectify the bug within a day of its realisation.
According to a media report, Ehraz Ahmed, a cybersecurity researcher, took to YouTube to highlight the vulnerability in JustDial’s mobile application. He further brought out in a blog post that one of its internal APIs potentially allowed a hacker to log in to a user account bypassing the phone number verification.
Talking about how hackers and telemarketers can mine the data of JustDial, Ahmed wrote that by automating a script by using a dump phone number that can be easily found online, JustDial’s data could be accessed.
The script could then return an access token, system ID (SID), as well as the user ID (UID). The SID is the key for various accounts of the users and its unauthorised access can make all the user data vulnerable. Also, accessing the UID will grant the user access to hackers using which it can post on the user’s profile.
“The hackers can also access your Justdial Pay account and receive funds on your behalf by entering their bank account information in the Bank Details Settings, but they cannot transfer the funds as it requires them to have access to your bank account/UPI code,” Ahmed added.
While acknowledging the vulnerability, in a BSE filing, the Mumbai-based company clarified that user data could potentially be accessed by an expert hacker to gather basic user information. The company added that the flaw had been fixed and no theft of data or financial loss to the company, its users or customers has been reported.
Inc42 has reached out to Justdial. The copy will be updated if and when they revert.
Increasing Security Breaches in JustDial
Earlier in April 2019, an independent security researcher Rajshekhar Rajaharia detected a major security loophole in Justdial’s database. The loophole had exposed the Justdial’s database of over 100 Mn users.
Four days after the Rajaharia’s public post and multiple failed attempts on his part to connect with Justdial, Inc42 reported the data leak of Justdial 100Mn users’ database on April 16. This loophole was fixed by the company after a week of Rajaharia’s public post.