Last week, the caller identification company Truecaller launched the ‘Guardians’ App. The application could allow a user to share live location with a trusted contact at a particular point of time, or even setup permanent sharing. During a crisis, the ‘personal protection’ app provides an emergency button that notifies his or her selected contacts, such as family members, of their real-time location information. The app has crossed 1,00,000 downloads since the launch on 3rd March 2021. Recently, it was found that Truecaller’s Guardians application was leaking live location.
A major vulnerability was reported by a Bengaluru-based security researcher Anand Prakash, which was immediately addressed and fixed by the company.
Problem in the API
According to Prakash, the founder of cybersecurity startup Pingsafe, a potential intruder could log into a victim’s account simply by using their phone number. Following that, the intruder can gain complete control of the account and all data associated with it, including the guardians’ or emergency contacts’ live locations, the victim’s date of birth, and profile photo.
On March 4, the researcher notified Truecaller, and the problem was resolved on the same day. According to him, the vulnerability was caused by a simple API mistake. It is possible to access data inside websites and applications that is not usually publicly available while there are problems with the application programming interfaces (APIs).
In technical terms, Prakash classified the issue as a “Insecure Direct Object Reference” vulnerability.
“Even after thorough security evaluations, companies often overlook certain fundamental issues. Such issues have massive ramifications, affecting consumers’ privacy and resulting in sales losses for businesses,” he said.
Response from Truecaller
Truecaller verified that the vulnerability had been patched and further added that, “At Guardians, we take security seriously and welcome any feedback or ideas for improvements. Security researchers like Anand Prakash sometimes contact us if they find anything suspicious, and we make sure to thoroughly investigate every submission. Anand identified the problem in this case as a result of a production configuration being carried out by mistake during the launch process.”
Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.