Indian hyperlocal search engine JustDial was recently found to contain a security flaw though which a user account could potentially be hacked. The incident exposed the personal account details of over 156 million Indian users. However, the company managed to rectify the bug within a day of its realization and put a stop to more damage.
According to a media report, Ehraz Ahmed, a cybersecurity researcher, took to YouTube to highlight the vulnerability in JustDial’s mobile application. He further brought out in a blog post that one of its internal APIs potentially allowed a hacker to log in to a user account bypassing the phone number verification.
Talking about how hackers and telemarketers can mine the data of JustDial, Ahmed wrote that by automating a script by using a dump phone number that can be easily found online, JustDial’s data could be accessed.
The script could then return an access token, system ID (SID), as well as the user ID (UID). The SID is the key for various accounts of the users and its unauthorized access can make all the user data vulnerable. Also, accessing the UID will grant the user access to hackers using which it can post on the user’s profile.
“The hackers can also access your Justdial Pay account and receive funds on your behalf by entering their bank account information in the Bank Details Settings, but they cannot transfer the funds as it requires them to have access to your bank account/UPI code,” Ahmed added.
While acknowledging the vulnerability, in a BSE filing, the Mumbai-based company clarified that user data could potentially be accessed by an expert hacker to gather basic user information. The company added that the flaw had been fixed and no theft of data or financial loss to the company, its users or customers has been reported.
