{"id":639,"date":"2019-11-26T09:25:58","date_gmt":"2019-11-26T09:25:58","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=639"},"modified":"2020-10-08T05:24:51","modified_gmt":"2020-10-08T04:24:51","slug":"vulnerability-hit-truecaller-app-potentially-affecting-millions-users","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/vulnerability-hit-truecaller-app-potentially-affecting-millions-users\/","title":{"rendered":"Vulnerability Hit Truecaller App Potentially Affecting Millions Of Users"},"content":{"rendered":"<p>The popular call-blocking application Truecaller has recently made it to the news due to a security flaw. A researcher discovered a serious vulnerability in the Truecaller app that could have threatened the security of millions of users.<\/p>\n<p>Truecaller App Vulnerability Indian security researcher Ehraz Ahmed found a critical vulnerability in the Truecaller app. Specifically, the vulnerability allowed a user to plant a URL into the profile picture.<\/p>\n<p>Hence, a potential attacker could exploit the flaw to inject a malicious URL to the profile picture. As a result, anyone clicking on the profile would fall a victim to the attack.<\/p>\n<p>According to Forbes, Ahmed told, The flaw allows an attacker to inject his malicious link as the profile URL. The user viewing the attacker\u2019s profile by search or through a popup gets exploited.<\/p>\n<p>The researcher revealed that such attacks could allow the attacker to extract numerous details about the user. This includes fetching the victim\u2019s IP address, user-agent and time without them knowing. He has also shared a POC of the exploit demonstrating how an attacker could fetch victim\u2019s information.<\/p>\n<p><iframe loading=\"lazy\" title=\"Truecaller Security Flaw   POC\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/ofnaPTrBMr8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><\/p>\n<p>The researcher revealed that such attacks could allow the attacker to extract numerous details about the user. This includes fetching the victim\u2019s IP address, user-agent and time without them knowing. He has also shared a POC of the exploit demonstrating how an attacker could fetch victim\u2019s information.<\/p>\n<blockquote><p>Patch Now After finding the bug, the researcher swiftly informed Truecaller about the matter before going public. Consequently, Truecaller patched the flaw in the app\u2019s API and has released the fix.<\/p><\/blockquote>\n<p>As per their statement to Forbes, It was recently brought to our attention that there was a small bug in our app services which allowed the modification of one\u2019s own profile in an unintended way. We thank the security researcher for bringing this to our notice and collaborating with us.<\/p>\n<p>The bug was immediately fixed. Since it\u2019s a critical bug affecting all Truecaller applications, users must ensure they update their devices with the latest patched versions. Alongside the fix, Truecaller has also disclosed its plans to announce a bug bounty program soon. Let us know your thoughts in the comments.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The popular call-blocking application Truecaller has recently made it to the news due to a security flaw. A researcher discovered<\/p>\n","protected":false},"author":1,"featured_media":641,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[512,517,507,518,509,515,519,511,504,510,503,514,505,516,508,490,513,506,489,488],"class_list":["post-639","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/639","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=639"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/639\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/641"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=639"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=639"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}