Recently a unique and severe security flaw was discovered in Just Dial. By exploiting this flaw, a user’s account can be hacked and different services can be used which are provided by the company Justdial.
Contents
How Did This Happen?
The flaw has been detected by security researcher Ehraz Ahmed. According to him, this flaw is present in Justdial’s Register API.
By using this flaw, any hacker can log in to any Justdial account by simply placing the phone number in the username field.
This small deed will give the power to hacker to access any person’s Justdial account.
Who Can Get Affected By This Flaw?
By doing these minimal steps, the hacker can get access to Justdial’s user’s account. This flaw can exploit accounts for almost 156 million unique users across Justdial’s website, mobile website, app and voice platforms.
This flaw can potentially make availability of data of its 156.1 million users online.
How Do They Do It?
Basically this flaw allows access to the victim’s account by simply replacing the phone number under the username parameter.
In response to this action, the system returns an access token, system ID (SID) and user ID (UID). BY using the SID code, hackers can easily access the user’s Justdial pay account and other accounts.
On the other hand, the UID would allow hackers to submit posts on the victim’s social profile.
The researcher has also shared a video on Youtube for demonstrating this flaw. He has also written a blog post to give more information about the same.
What Does The Company Has To Say?
The company accepted that there is a bug in one of its APIs related to login. However, they claim that there was no loss of any data or financial loss reported.
They have acknowledged this flaw in a filing to the BSE. They said that it could potentially be accessed by an expert hacker to gather basic user information.
They Said “We at Justdial take security seriously. There was a bug in one of our API which could potentially be accessed by an expert hacker. This bug has been fixed. We work with various security researchers to strengthen our platform and would like to thank Ehraz Ahmed for bringing this out to us,”. ( reference moneycontrol)
The company was founded in 1996 by VSS Mani. They provide local search for different services in India over the phone and online. The company has its headquarters in Mumbai.