Page Loader
Critical bug in Justdial exposed more than 156 million accounts

Critical bug in Justdial exposed more than 156 million accounts

Oct 10, 2019
05:28 pm

What's the story

In a major incident, India's famous search app, Justdial, has exposed personal account details of over 156 million users. It suffered from a bug that allowed anyone to log into the user accounts and access the information they contained - names, phone numbers, email addresses, and more. Here's all about the issue and how it occurred.

Issue

App caught leaking personal account information

First discovered by security researcher Ehraz Ahmed and flagged by MoneyControl, the issue existed in the Justdial app and opened access to all accounts on the service. This meant a hacker aware of the vulnerability would have been able to leverage it to break into anyone's Justdial account, steal their personal information (name/number/email), and use the services provided by Justdial on their name.

Impact

Financial transactions also revealed by the bug

As the bug opened access to anyone's Justdial account, the financial data associated with Justdial Pay, the company's payment service, was also exposed. However, luckily enough, it only exposed the balance and transactions made on Justdial Pay, not the payment or credit/debit card details of the users. That information remains masked in payment services, including the one operated by Justdial.

Issue

Issue in the Register API of the service

According to Ahmed, the issue was detected in the Register API of Justdial -available across the web, mobile, and desktop - and can be exploited by entering a number in the username parameter. He said, by entering the phone number this way, the service gave away an access token, system ID (SID) and user ID (UID), enabling direct access to the targeted account.

Response

Justdial claimed no data has been stolen

After Ahmed's disclosure and demonstration of the vulnerability, Justdial acknowledged the API bug but claimed that the issue has not been exploited to steal personal or financial data of the users. "We at Justdial take security seriously," the company told MoneyControl, adding that the bug in question could have been exploited by an expert hacker but has been fixed now.