Critical bug in Justdial exposed more than 156 million accounts
What's the story
In a major incident, India's famous search app, Justdial, has exposed personal account details of over 156 million users. It suffered from a bug that allowed anyone to log into the user accounts and access the information they contained - names, phone numbers, email addresses, and more. Here's all about the issue and how it occurred.
Issue
App caught leaking personal account information
First discovered by security researcher Ehraz Ahmed and flagged by MoneyControl, the issue existed in the Justdial app and opened access to all accounts on the service. This meant a hacker aware of the vulnerability would have been able to leverage it to break into anyone's Justdial account, steal their personal information (name/number/email), and use the services provided by Justdial on their name.
Impact
Financial transactions also revealed by the bug
As the bug opened access to anyone's Justdial account, the financial data associated with Justdial Pay, the company's payment service, was also exposed. However, luckily enough, it only exposed the balance and transactions made on Justdial Pay, not the payment or credit/debit card details of the users. That information remains masked in payment services, including the one operated by Justdial.
Issue
Issue in the Register API of the service
According to Ahmed, the issue was detected in the Register API of Justdial -available across the web, mobile, and desktop - and can be exploited by entering a number in the username parameter. He said, by entering the phone number this way, the service gave away an access token, system ID (SID) and user ID (UID), enabling direct access to the targeted account.
Response
Justdial claimed no data has been stolen
After Ahmed's disclosure and demonstration of the vulnerability, Justdial acknowledged the API bug but claimed that the issue has not been exploited to steal personal or financial data of the users. "We at Justdial take security seriously," the company told MoneyControl, adding that the bug in question could have been exploited by an expert hacker but has been fixed now.