Truecaller just last week launched a new Guardian app that’s designed for users to share their location and other important details with family for safety. While some had just begun testing the app, a major bug was discovered soon after it was announced which could have cost users to lose their credentials to hackers.
As per a TNW report, security researcher Anand Prakash discovered a vulnerability within the Guardian app and informed Truecaller about the issue on March 4. Prakash notes that the bug was found in the app’s “Log in with Truecaller API” which means miscreants would had have full control over the user’s account by simply using their phone number for log-in. The hackers could intercept the API’s request, and change the phone number to get access to a user’s account. This account takeover allowed hacker to add themselves as a trusted contact on another user’s profile.
The bug even allowed ‘the hacker’ to view a user’s family members’ details including names, birth dates, phone numbers, and live locations, as per the report.
While the idea behind the Guardian app is to share vital information with family members and other trusted contacts to stay safe while commuting, the bug did pose a serious threat to users’ credentials. Thankfully, the issue was acknowledged by Truecaller and they fixed it on the same day.
“In this case, the issue pointed out by Anand was due to a development configuration being rolled out by mistake during the launch phase. Our engineers were already rolling out a fix at the time of his submission to ensure user safety,” Truecaller cited.
As per the TNW report, no account data was leaked, but the vulnerability brings the question on Truecaller’s security measures.