Zak Doffman at Forbes is reporting on a newly discovered vulnerability in the Truecaller app that puts 150 million iOS and Android users at risk.
Truecaller is one of the premier caller ID apps, identifying unknown calls from mobile, landline and prepaid phones. It also provides the ability to block numbers and auto-block robocalls and telemarketers. The app also offers VoIP calling, call recording, SMS and group chat, as well banking and payments.
Truecaller just recently passed the 500 million download mark, with 150 million daily users. Of those, 100 million are in India, where the app has surpassed Facebook in popularity. According to the company’s blog, “every tenth active user in India has linked their bank account to Truecaller Pay.” The app’s popularity, not to mention the breadth of services offered, makes the vulnerability even more concerning since it is a flaw in the Truecaller API.
According to Mr. Doffman, “India-based researcher Ehraz Ahmed discovered the flaw, disclosing it to local media and the company and waiting for a fix before going public. He explained to me that ‘the flaw allows an attacker to inject his malicious link as the profile URL. The user viewing the attacker’s profile by search or through a popup gets exploited.’ Ahmed has said the flaw could be used to mount serious attacks on target machines, although this was not the scope of the proof of concept and has been played down by the company.
“What Ahmed did manage through his POC was ‘to fetch a user’s information like IP address, User-Agent, and time. The user visiting the profile would not notice this as it all happens in the background, and for the user, it would look like any other profile.’ With the now-patched flaw impacting Truecaller’s API, it is a potential threat to all apps and platforms.”
Mr. Ahmed worked with Truecaller to identify the bug and a patch was immediately released. Because the issue was with the app’s API, the company was able to patch the flaw on their end, although all users should update to the latest version to be on the safe side.
As more and more apps offer services that cross a range of industries, such as communication and banking, flaws like this will represent a much greater threat to users.