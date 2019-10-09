App
you are here: HomeNewsTrends
Last Updated : Oct 09, 2019 08:03 PM IST | Source: Moneycontrol.com

Exclusive: Justdial security flaw may allow hackers to breach pay accounts of 156 million users

The flaw allows a hacker to log in to any Justdial account by placing the phone number in the username parameter.

Pranav Hegde @PranavHegdeHere
 
 
A major security flaw has been detected on Justdial wherein a user's account can be hacked to use different services offered by the local search company. The flaw gives access to nearly 156 million unique users across Justdial's web, mobile website, app and voice platforms.

The flaw has been detected in Justdial’s Register API by security researcher Ehraz Ahmed, who shared the details exclusively with Moneycontrol. The flaw allows a hacker to log in to any Justdial account by placing the phone number in the username parameter. This would then give the hacker access to any person’s Justdial account.

Access to  Justdial user accounts can potentially make data of its 156.1 million users available online.

How does it work?

The security flaw detected in the Register API allows access to a victim’s account by replacing the phone number under the username parameter.

The system would then return an access token, system ID (SID) and user ID (UID). Using the SID, the hacker can access the victim’s Justdial Pay account and other accounts, whereas the UID would allow posting on the victim’s social profile.

Ahmed has shared a video demonstrating the flaw.

Moneycontrol has reached out to Justdial to learn about the flaw. The company said that it is currently identifying the flaw and working on a fix.

Note: This article will be updated once we receive a statement from Justdial.

First Published on Oct 9, 2019 07:06 pm

tags #cyber security #Technology

