JustDial fixes bug that allowed hackers access
A cyber security researcher, Ehraz Ahmed, uncovered the vulnerability, which was first reported by moneycontrol.com.
Ahmed wrote in a blog post that one of JustDial’s internal APIs potentially allowed a hacker to log in to a user account bypassing the phone number.
The flaw could then return an access token, system ID (SID) and user ID (UID).
Using the SID, the hacker could access various accounts of the user. Besides, the UID would allow the hacker to post on the user’s profile.
“Hackers and telemarketers can mine the data of JustDial by automating a script using a phone number dump found online,” Ahmed wrote.
“The hackers can also access your Justdial Pay account and receive funds on your behalf by entering their bank account information in the Bank Details Settings, but they cannot transfer the funds as it requires them to have access to your bank account/UPI code,” he said.
Ahmed, who also shared a video demonstrating the flaw, told ET that the company had fixed the flaw within a day.
In a filing to the BSE, JustDial acknowledged the vulnerability and said it could potentially be accessed by an expert hacker to gather basic user information. The company said the flaw had been fixed and that there was no theft of data or financial loss to the company, its users or customers.
The company claimed it had 156 million unique users as of June 2019.
Earlier in April, ET had reported that a breach led to the data leak of more than 100 million users at JustDial, including names, email ids, mobile numbers, gender, date of birth and addresses. However, the Mumbai-based firm had denied the breach.