The flaw allows a hacker to log in to any Justdial account by placing the phone number in the username parameter.
A major security flaw has been detected on Justdial wherein a user's account can be hacked to use different services offered by the local search company. The flaw gives access to nearly 156 million unique users across Justdial's web, mobile website, app and voice platforms.
The flaw has been detected in Justdial’s Register API by security researcher Ehraz Ahmed, who shared the details exclusively with Moneycontrol. The flaw allows a hacker to log in to any Justdial account by placing the phone number in the username parameter. This would then give the hacker access to any person’s Justdial account.
Access to Justdial user accounts can potentially make data of its 156.1 million users available online.
How does it work?
The security flaw detected in the Register API allows access to a victim’s account by replacing the phone number under the username parameter.
The system would then return an access token, system ID (SID) and user ID (UID). Using the SID, the hacker can access the victim’s Jd pay account and other accounts, whereas the UID would allow posting on the victim’s social profile.
Ahmed has shared a video demonstrating the flaw.
Moneycontrol reached out to Justdial to learn about the flaw. The company acknowledged that there was a bug in one of its API. However, there was no loss of any data or financial loss reported."We at Justdial take security seriously. There was a bug in one of our API which could potentially be accessed by an expert hacker. This bug has been fixed. We work with various security researchers to strengthen our platform and would like to thank Ehraz Ahmed for bringing this out to us", the statement read.