A significant flaw in an Indian native search app, Justdial, allowed hackers to log in to any of its 156 million customers accounts.
Aside from accessing consumer data resembling names, telephone numbers, and e mail addresses, the vulnerability allowed them to peek into monetary particulars together with stability and transactions of an account via JustDial Pay, the corporate’s fee service.
First reported by MoneyControl, the bug was found by safety researcher Ehraz Ahmed final month. It exploited the positioning’s Register API used for sign-ups.
A video posted by Ahmed reveals a hacker can use an individual’s telephone quantity as consumer title and achieve entry to the account via the flaw. The bug allowed hackers to even change account particulars for JD Pay so all the cash despatched to that account will get redirected. Nonetheless, it didn’t permit them to ship cash because it requires a further PIN.
JustDial stated in an announcement the flaw was mounted yesterday:
We at Justdial take safety significantly. There was a bug in one among our APIs which may doubtlessly be accessed by an knowledgeable hacker. This bug has been mounted. We work with varied safety researchers to strengthen our platform and want to thank Ehraz Ahmed for bringing this out to us.
The corporate stated there was no lack of information.