Truecaller has fixed a defect that allowed hackers to use its application program interface (API) to place a malicious link as the URL for users’ profile picture, reported Gadgets360 on November 23. The defect allowed hackers to use malicious links to harvest IP addresses, physical location, and other data of users by attacking them using brute force and distributed denial of service (DDoS), the report said. A Truecaller spokesperson said the “bug was immediately fixed” and added that this “was not a critical vulnerability” and that “no critical user data was ever compromised”.

How did the defect surface?

A Bengaluru-based security researcher, Ehraz Ahmed, had found the Truecaller defect, and Gadgets360 reported it. Truecaller fixed the vulnerability. This API flaw could be accessed through all versions of Truecaller, including Android, iOS, and the web. If a user was searching for a Truecaller profile from the desktop, the flaw could let the hacker know the user’s browser details.

In an official statement, Truecaller said:

“It was recently brought to our attention that there was a small bug in our app services which allowed the modification of one’s own profile in an unintended way. We thank the security researcher for bringing this to our notice and collaborating with us. The bug was immediately fixed”.

Previous privacy concerns with Truecaller

In July 2019, National Payments Corporation of India (NPCI) had stopped onboarding new Truecaller users on the UPI platform because the company had automatically started the registration process for creating a UPI ID for multiple users. However, Truecaller had called it a “bug” and said it affected only a small fraction of its users in India.

In September 2019, Nigeria’s National Information Technology Agency (NITDA) had launched an investigation into a potential breach of privacy rights under the country’s National Data Protection Regulation. The agency had accused it of over-collecting user data and sharing it with third-party advertisers without user consent.