Last week, caller identification company Truecaller launched an application called Guardians that’s designed to share your location and other vital information with your family for safety.
However, at the launch, the app had a major bug that let hackers take full control over users’ accounts. Security researcher Anand Prakash, who found the vulnerability, informed Truecaller on Thursday, and it was fixed the same day.
Truecaller launched the Guardians app with the intent to share your information with family members and friends for staying safe while traveling. Through the app, you could share your live location,and your phone’s battery life and network status with your trusted contacts. You could also let your family know you need assistance by pressing an ’emergency’ button.
Prakash noted that the bug was in the app’s “Log in with Truecaller API.” That means an attacker could use your phone number to log in to your account. They could intercept the API’s request, and change the phone number to gain access to anyone’s account.
The account takeover allowed the hacker to add themselves or anyone as a trusted contact to a target’s profile. Plus, the bug allowed the hacker to view your family members’ details including names, birth dates, phone numbers, and live locations.
In a statement, Truecaller said that this bug was a development configuration, but made it to the final roll out by mistake:
In this case, the issue pointed out by Anand was due to a development configuration being rolled out by mistake during the launch phase. Our engineers were already rolling out a fix at the time of his submission to ensure user safety.
Thankfully, no account data was leaked. But for an application that’s focused on privacy, this was a dangerous bug that put user data at high risk. The company should’ve done a more thorough security audit before launching the app.