An unprotected database belonging to JustDial, India’s largest native search service, is leaking personally identifiable info of its each buyer in real-time who accessed the service through its web site, cellular app, and even by calling on its fancy “88888 88888” buyer care quantity, The Hacker Information has realized and independently verified.
Based over twenty years in the past, JustDial (JD) is the oldest and main native search engine in India that enables customers to search out related close by suppliers and distributors of varied services shortly whereas serving to companies listed in JD to market their choices.
Rajshekhar Rajaharia, an impartial safety researcher, yesterday contacted The Hacker Information and shared particulars of how an unprotected, publicly accessible API endpoint of JustDial’s database might be accessed by anybody to view profile info of over 100 million customers related to their cellular numbers.
The leaked knowledge contains JustDial customers’ title, e mail, cellular quantity, handle, gender, date of beginning, photograph, occupation, firm title they’re working with—principally no matter profile associated info a buyer ever supplied to the corporate.
Although the unprotected APIs exist since at the least mid-2015, it isn’t clear if anybody has misused it to collect private info on JustDial customers.
Justdial is Leaking Private Particulars Of All Clients
After verifying the leaky endpoint, The Hacker Information additionally needed to confirm if the API is fetching outcomes straight from the manufacturing server or from a backup database which may not have info belonging to just lately signed-up customers.
To seek out this, I supplied Rajshekhar a brand new cellphone quantity that was by no means earlier than registered with Justdial server, which he confirmed was not listed within the database at the moment.
As an alternative of putting in and utilizing the JD app or its web site, I then merely known as the shopper care quantity and shared a random title and private particulars with the chief to be taught a number of good eating places in my metropolis.
Instantly after finishing the decision, Rajshekhar despatched me the profile particulars I shared with the JD govt related to the identical cellphone quantity that was beforehand not discovered within the database, indicating that the unprotected API is fething real-time info of customers.
Though the unprotected API is linked to the first JD database, Rajshekhar revealed that it is an outdated API endpoint which isn’t at present being utilized by the corporate however left forgotten on the server.
Rajshekhar instructed The Hacker Information that he found this unprotected end-point whereas pentesting the newest APIs in use, that are apparently protected and utilizing authentication measures.
Apart from this, Rajshekhar additionally discovered a number of different outdated unprotected APIs, considered one of which may permit anybody to set off OPT request for any registered cellphone quantity, which could not be a severe safety challenge, however might be used for spamming customers and costing the corporate.
Rajshekhar additionally claimed that he tried to contact the corporate to responsibly disclose his findings, however sadly failed to search out any direct method to contact the corporate and report the incident.
The Hacker Information has additionally dropped an e mail to a couple e mail addresses, linked to the corporate, we discovered on the Web, offering the small print of the incident. We are going to replace this report once we hear again. Keep Tuned.