A flaw in the Indian Local search app flaw in API exposes 156 million users account information. The compromised information includes user personal details such as names, phone numbers, and email addresses. The hackers were also able to access the financial details which include balance and transactions of an account through the company’s payment service – Justdail Pay.
The flaw was detected by security researcher Ehraz Ahmed in Justdail’s Register API. While talking to MoneyControl he said the flaw allows hackers to log in to any Justdial account by placing the phone number in the username parameter. In this way, the hackers were able to take control of any user’s Justdial account. He has explained how it’s possible to login to any Jd Pay Account in the video below.
The company acknowledged the fact that there was a bug in one of its API which resulted in the data leak. Justdial confirmed they have fixed the bug yesterday.
“We at Justdial take security seriously. There was a bug in one of our APIs which could potentially be accessed by an expert hacker. This bug has been fixed. We work with various security researchers to strengthen our platform and would like to thank Ehraz Ahmed for bringing this out to us.”Justdial in a statement said