Popular caller-identification app Truecaller recently fixed a security flaw that could expose sensitive user data, location, and system information to attackers. The flaw came to light after an India-based security researcher Ehraz Ahmed reported the issue.
The Truecaller app provides a set of features to smartphone users including call-blocking, flash-messaging, caller-identification, call-recording, and Chat & Voice services. The globally available platform is popular in India with 500 million downloads and 150 million active users.
In a video post, the researcher described how a malicious link can be injected as a profile URL to potentially target attacks on users clicking on the profile. According to Ahmed, the malicious script will get executed without user consent.
“The flaw could allow attackers to mount serious attacks on target machines, although this was not the scope of the proof of concept and has been played down by the company,” Ahmed said in a statement.
Truecaller confirmed the issue to Forbes, stating that “it was recently brought to our attention that there was a small bug in our app services which allowed the modification of one’s own profile in an unintended way. We thank the security researcher for bringing this to our notice and collaborating with us. The bug was immediately fixed.”
Truecaller thanked the researcher for reporting the vulnerability and urged all the users to update with the latest version.
“We have partnered with a community of researchers and will shortly announce a bounty program where we, as a transparent and responsible organization, will also reward researchers for their contributions,” the company said in a statement.