A bug in Indian local search app exposed over 156 million accounts

A bug in Indian local search app exposed over 156 million accounts
Credit: JustDial

A major flaw in an Indian local search app, Justdial, allowed hackers to log in to any of its 156 million users accounts.

Apart from accessing user information such as names, phone numbers, and email addresses, the vulnerability allowed them to peek into financial details including balance and transactions of an account through JustDial Pay, the company’s payment service.

First reported by MoneyControl, the bug was discovered by security researcher Ehraz Ahmed last month. It exploited the site’s Register API used for sign-ups.

A video posted by Ahmed shows a hacker can use a person’s phone number as user name and gain access to the account through the flaw. The bug allowed hackers to even change account details for JD Pay so all the money sent to that account gets redirected. However, it didn’t allow them to send money as it requires an additional PIN.

JustDial said in a statement the flaw was fixed yesterday:

We at Justdial take security seriously. There was a bug in one of our APIs which could potentially be accessed by an expert hacker. This bug has been fixed. We work with various security researchers to strengthen our platform and would like to thank Ehraz Ahmed for bringing this out to us.

The company said there was no loss of data.

Read next: Alleged $5M cryptocurrency fraud made this guy one of AWS' biggest clients