Information security researcher Ehraz Ahmed, who identified the flaw, said that it could be used to fetch the information of unaware users.
Popular caller-identification and call-blocking application Truecaller was forced to issue a security fix after a critical flaw, which exposed user data, was identified by a Bengaluru-based information security researcher Ehraz Ahmed. The flaw allowed hackers to use the service's Application Programme Interface (API) to place a malicious link as the URL for their profile picture. "The bug allowed the hacker to replace the link of the profile image. By replacing it with the malicious link, the hacker could execute a script in the background," Ehraz said speaking to TNM. He added that the malicious link could be used to fetch the information of unaware users. "Let's say you are searching my profile and you came across the profile image with the malicious link in place. It looks like an ordinary image to you but your information is logged in the background," Ehraz explained. Users viewing the profile image either by searching or through a pop-up could be targeted with the link and the hacker could obtain the users' IP address and location details. It could be accessed through all versions of Truecaller including Android, iOS and the web version. Upon detecting the flaw, Ehraz developed a proof of concept (POC) and showed it to Gadgets360, a technology website. The organisation alerted Truecaller about the flaw and connected them to Ehraz. After the company fixed the issue, the flaw was reported by Gadgets360. Ehraz reproduced the flaw by showing the process of documenting IP addresses of users in a log file. The script was also able to model numbers and software versions of the users affected by the malicious link. Truecaller, in a statement to media organisations, confirmed the flaw and stated that it was fixed immediately. "It was recently brought to our attention that there was a small bug in our app services which allowed the modification of one's own profile in an unintended way. We thank the security researcher for bringing this to our notice and collaborating with us. The bug was immediately fixed," a Truecaller official said. The official added that critical user data was not compromised and that the researcher waited for the engineers to patch the issue before making it public
Body 2:
from Karnataka https://ift.tt/2OjhEix
via IFTTT
No comments:
Post a Comment