The ‘personal safety’ application includes an emergency button that notifies his or her selected contacts such as family members, with their real-time location details at the tap of a button during a crisis.
Prakash, founder of cybersecurity startup Pingsafe noted that it was possible for a potential attacker to login into a victim’s account by just using their phone number. Following this, the attacker was able to take full control over the account and data associated with it, including the live locations of the guardians or emergency contacts, the victim's date of birth and profile picture he said.
The Guardian app was launched on March 3 and currently has over 100,000 downloads on Playstore.
The researcher informed Truecaller on March 4, and it was fixed on the same day. The vulnerability was possible due to a basic API error he said. When there are problems with the application programming interfaces (APIs) it is possible to access data within websites and software that are not normally openly accessible.
“When it got launched, I immediately started looking through the app. Within a few minutes, I was able to discover this issue on the app. I selected the ‘Login API’ on the app and put in someone else’s phone number and was able to log in to the person’s account. We replicated this issue on other numbers and reported it to Truecaller. They ..