wordpress blog stats
Connect with us

Hi, what are you looking for?

Truecaller defect allowed hackers to harvest IP address, other user data via malicious links, now fixed: Report

Truecaller has fixed a defect that allowed hackers to use its application program interface (API) to place a malicious link as the URL for users’ profile picture, reported Gadgets360 on November 23. The defect allowed hackers to use malicious links to harvest IP addresses, physical location, and other data of users by attacking them using brute force and distributed denial of service (DDoS), the report said. A Truecaller spokesperson said the “bug was immediately fixed” and added that this “was not a critical vulnerability” and that “no critical user data was ever compromised”.

How did the defect surface?

A Bengaluru-based security researcher, Ehraz Ahmed, had found the Truecaller defect, and Gadgets360 reported it. Truecaller fixed the vulnerability. This API flaw could be accessed through all versions of Truecaller, including Android, iOS, and the web. If a user was searching for a Truecaller profile from the desktop, the flaw could let the hacker know the user’s browser details.

In an official statement, Truecaller said:

“It was recently brought to our attention that there was a small bug in our app services which allowed the modification of one’s own profile in an unintended way. We thank the security researcher for bringing this to our notice and collaborating with us. The bug was immediately fixed”.

Previous privacy concerns with Truecaller

In July 2019, National Payments Corporation of India (NPCI) had stopped onboarding new Truecaller users on the UPI platform because the company had automatically started the registration process for creating a UPI ID for multiple users. However, Truecaller had called it a “bug” and said it affected only a small fraction of its users in India.

In September 2019, Nigeria’s National Information Technology Agency (NITDA) had launched an investigation into a potential breach of privacy rights under the country’s National Data Protection Regulation. The agency had accused it of over-collecting user data and sharing it with third-party advertisers without user consent.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like


Truecaller has appointed a new chief financial officer, Odd Bolin, to prepare the company for an initial public offering (IPO). The Sweden-headquartered caller identification...


The Singapore government has confirmed that data from its coronavirus contact tracing app TraceTogether can be used by law enforcement for criminal investigations. Speaking...


More than 50% of children used shared devices, and there isn’t a level playing field to access to the internet, said Siddharth Pillai of...


Indian laws such as the Juvenile Justice Act, the Evidence Act, and child labour laws, recognise that children are at different levels of maturity...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to Daily Newsletter

    © 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ