Moneycontrol Be a Pro
Get App
you are here: HomeNewsTrends
Last Updated : Oct 10, 2019 09:49 AM IST | Source:

Exclusive: Justdial security flaw may allow hackers to breach pay accounts of 156 million users

The flaw allows a hacker to log in to any Justdial account by placing the phone number in the username parameter.

Pranav Hegde @PranavHegdeHere
  • bselive
  • nselive
Todays L/H

A major security flaw has been detected on Justdial wherein a user's account can be hacked to use different services offered by the local search company. The flaw gives access to nearly 156 million unique users across Justdial's web, mobile website, app and voice platforms.

The flaw has been detected in Justdial’s Register API by security researcher Ehraz Ahmed, who shared the details exclusively with Moneycontrol. The flaw allows a hacker to log in to any Justdial account by placing the phone number in the username parameter. This would then give the hacker access to any person’s Justdial account.

Access to  Justdial user accounts can potentially make data of its 156.1 million users available online.


How does it work?

The security flaw detected in the Register API allows access to a victim’s account by replacing the phone number under the username parameter.

The system would then return an access token, system ID (SID) and user ID (UID). Using the SID, the hacker can access the victim’s Jd pay account and other accounts, whereas the UID would allow posting on the victim’s social profile.

Ahmed has shared a video demonstrating the flaw.

Moneycontrol reached out to Justdial to learn about the flaw. The company acknowledged that there was a bug in one of its API. However, there was no loss of any data or financial loss reported.

"We at Justdial take security seriously. There was a bug in one of our API which could potentially be accessed by an expert hacker. This bug has been fixed. We work with various security researchers to strengthen our platform and would like to thank Ehraz Ahmed for bringing this out to us", the statement read.

The Great Diwali Discount!
Unlock 75% more savings this festive season. Get Moneycontrol Pro for a year for Rs 289 only.
Coupon code: DIWALI. Offer valid till 10th November, 2019 .
First Published on Oct 9, 2019 07:06 pm
Follow us on
Available On
PCI DSS Compliant