Researcher: JustDial Leaks Information on 100 Million UsersUnprotected APIs Apparently Expose a Wealth of Data
Four unprotected application program interfaces for JustDial, a local search engine in India, are leaking the personally identifiable information of its more than 100 million customers in real time, says an independent security researcher who discovered the vulnerability.
"The information of every customer who has ever availed the service of JustDial through its website or app is now publicly accessible," says Rajshekhar Rajaharia, who discovered the leak. "In fact, information of people who have never registered but have only called the company's helpline is also available."
The leaked data, Rajaharia says, includes JustDial users' names, emails, mobile numbers, addresses, gender, dates of birth, photos, occupations and names of companies where they work.
"Though the unprotected APIs have existed since at least mid-2015, it's not clear if anyone has misused it to gather personal information on JustDial users," Rajaharia adds.
The researcher claims he contacted JustDial last week, but could not reach appropriate staff members. "It was then I wrote the about the vulnerability on Facebook," he says. Rajaharia says the security team of JustDial finally got in touch with him Wednesday and reported that it's working on resolving the issue.
Does Anyone know the way to contact Justdial. Contacted #JustDial on 12th via ContactUs Page but no responce. #dataleak #CyberSecurity #dataprotection #GDPR #privacy #breach #CyberAttack #business #hack #Hacker #tech #technology #DigitalIndia #datasecurity #infosec #cyber pic.twitter.com/cGqexg0Zt0— Rajshekhar Rajaharia (@rajaharia) April 16, 2019
The Problem Area
The researcher says he discovered the data leak while pen testing JustDials' new APIs. "The new APIs are protected and use multifactor authentication. I found four old APIs with leaky endpoints," he says. "They were all returning the same data but created in different years."
Mohit Kumar, founder of HackerNews, a hacking news source website, writes in a blog that he also confirmed the data leak.
"I wanted to verify if user information is getting leaked in real time," he informs ISMG. "I provided the researcher a new phone number that was never before registered with JustDial server. I then simply called the customer care number and shared a random name and personal details with the executive. Immediately after completing the call, Rajaharia sent me the profile details I shared with the JustDial executive associated."
Below is a screenshot of the kind of information getting leaked.
Fixing the Problem
Security experts say the obvious fix to the data leak is to delete the old APIs, which could serve as a backdoor for hackers.
"Considering that JustDial is one of India largest local search engines, the database is huge. This is pure callousness," Dinesh O. Bareja, COO at Open Security Alliance, says of the data leak tied to the APIs.
JustDial did not immediately reply to a request for comment.