In a recent report by TheHackerNews, it was found that the tech-giant JustDial users’ data were vulnerable to be exposed on the Internet. This data includes personally identifiable information like name, age, gender, birthday, occupation, email, company the person currently works in, etc.
JustDial Users’ Data At Risk
TheHackerNews reported about an independent security researcher named Rajshekhar Rajaharia contacted TheHackerNews privately about the data breach.
These user data could be accessed by the mean of API. To run a search of the user data, the hacker would need target’s phone number or the ‘ref id’ which is a unique numerical ID assigned to each of JustDial user.
How Was The API Available To The Researcher?
The researcher, in a report, claimed that the API was found in an older version of the app which was of the year 2015’s version.
Those APIs, were, however, not deleted or disposed of by the JustDial security team after abandoned. This allowed the researcher to find the API and run the checker.
What Type Of Data Was At Risk?
The API brought up users’ personal details like name, age, gender, occupation, company he/she worked in, email address, the language user spoke, and etc.
What Was The Response By JustDial?
When the report was released to the public, the researcher said that he tried to contact the company by various means like Facebook, Twitter, Instagram and etc but was ignored.
JustDial Responds When Started Loosing Share Holders
After a drop in shareholders to the company, the company’s CFO Bansal had a telephonic conversation with the media live where he explained how the data was very limited to a very small amount of users. “I wouldn’t call this as a data breach”, said the CFO in the report.
True Story Behind
A few days later after the issue was escalated to mainstream media, the company’s CFO provided the false statement. This is where he says that the data breach was very limited.
But by the report of TheHackerNews, the users’ data were directly accessible. For example, if you call their search engine number ‘88888-88888’, they will help you and collect your details. After then, your details are stored in their database. TheHackerNews provided the researcher with a fresh number which was never used to contact JustDial.
When TheHackerNews contacted JustDial over their customer helpline, they shared random details. Just after the call was completed, Rajshekhar provided him with all the details he provided to helpline agent. This proves that the CFO provided a false statement for the sake to bring back shareholders. The details provided could be accessible in real-time.
Did JustDial Fix The Vulnerability?
Rajshekher said in a Facebook post that the company fixed the vulnerability. But they didn’t reply after it was fixed thus hiding the issue.
Rajshekhar also said that there are few more unprotected APIs which can be used. These API can trigger false OTPs to a particular phone number in the name of JustDial. This cannot be called a vulnerability but can cost the company a lot. This can also put the company’s reputation at risk as this bug can be used to spam. It can send up to thousands or lakhs of SMS at a time which causes SMS credit loss to the company.
This report was first presented into the media by TheHackerNews which was later followed by other media portals.