A severe security flaw found in Truecaller, one of the most popular app among both Android and iPhone users. The vulnerability has potential to expose device data along with location information. Forbes reports, an India-based researcher has found that attackers can victimize users' by adding malicious link in the profile picture section. The attack could be leveraged once someone clicks on that profile photo section.
The researcher developed a PoC to establish his claim and shared with local media to get noticed by the company. He asserted that the flaw has enough potential to let the attacker push a malicious link in the profile photo section of TrueCaller. Once the user views the attacker's profile, his device gets infected. The user could get victimized either by visiting the attackers profile himself or by clicking on a popup window.
Through his developed PoC, the researcher proved that the vulnerability has potential to retrieve sensitive personal information like IP address, system time and User-Agent without getting noticed. Since all these action remains invisible to victims' eyes, they won't notice anything irregular even after getting compromised.
Later the company accepted the existence of the vulnerability in its app to Forbes. The Sweden based developer has also conveyed that they took the exploit seriously and came back with a fix to this flaw. At the time of filing this report the company has rolled out an update.
Truecaller faced several security flaws
TrueCaller has been developed with an intention to filter out spam calls and is quite popular in several countries including India. Combining Android and iPhone stores, the app recorded 500 million downloads with a daily user count of 150 million. Significantly, TrueCaller experienced several security flaws in the past including privacy breach, cyber-attack and security flaws.
However, the company claimed to roll out a bug bounty program to strengthen the app security. Recently CheckPoint Security has raised its finger towards several popular apps including Facebook, yahoo and Facebook Messenger. The company has also mentioned all the exploits existing in each app.