Moneycontrol PRO
Upcoming Event : LeapToUnicorn - mentoring, networking and fundraising for startups. Register now
you are here: HomeNewsTrends

Exclusive: Justdial security flaw may allow hackers to breach pay accounts of 156 million users

The flaw allows a hacker to log in to any Justdial account by placing the phone number in the username parameter.

October 10, 2019 / 09:49 AM IST
  • bselive
  • nselive
Todays L/H

A major security flaw has been detected on Justdial wherein a user's account can be hacked to use different services offered by the local search company. The flaw gives access to nearly 156 million unique users across Justdial's web, mobile website, app and voice platforms.

The flaw has been detected in Justdial’s Register API by security researcher Ehraz Ahmed, who shared the details exclusively with Moneycontrol. The flaw allows a hacker to log in to any Justdial account by placing the phone number in the username parameter. This would then give the hacker access to any person’s Justdial account.

Access to  Justdial user accounts can potentially make data of its 156.1 million users available online.

How does it work?

The security flaw detected in the Register API allows access to a victim’s account by replacing the phone number under the username parameter.

The system would then return an access token, system ID (SID) and user ID (UID). Using the SID, the hacker can access the victim’s Jd pay account and other accounts, whereas the UID would allow posting on the victim’s social profile.

Ahmed has shared a video demonstrating the flaw.

Moneycontrol reached out to Justdial to learn about the flaw. The company acknowledged that there was a bug in one of its API. However, there was no loss of any data or financial loss reported.

"We at Justdial take security seriously. There was a bug in one of our API which could potentially be accessed by an expert hacker. This bug has been fixed. We work with various security researchers to strengthen our platform and would like to thank Ehraz Ahmed for bringing this out to us", the statement read.
Invite your friends and family to sign up for MC Tech 3, our daily newsletter that breaks down the biggest tech and startup stories of the day

Pranav Hegde
first published: Oct 9, 2019 07:06 pm