Justdial India's largest local search service with an unprotected database service is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy "88888 88888" customer care number, reported on a news.The personal data of over 100 million Just Dial users were exposed online. This information includes details such as names, email IDs, mobile numbers, gender, date of birth and addresses of the users of the local search service.
JustDial (JD) is the oldest and leading local search engine in India which was Founded over two decades ago, that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings.
The data breach was first discovered by independent security researcher Rajshekhar Rajaharia, who shared the details of JustDial's data breach in a Facebook post. "Dear Justdial Your 100 Million users data including name, email, mobile number, gender, dob, address, photo, company, occupation & other details are publicly accessible. Fix it ASAP," he wrote in the post.
Justdial is using an unprotected, publicly accessible API endpoint of it's database and can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers. The leaked data includes JustDial users' name, email, mobile number, address, gender, date of birth, photo, occupation, company name they are working with-basically whatever profile related information a customer ever provided to the company. Though the unprotected APIs exist since at least mid-2015, it's not clear if anyone has misused it to gather personal information on JustDial users.
Justdial is Leaking Personal Details Of All Customers
According to Rajaharia, 70 per cent of the data leaked online as a part of the breach belonged to the users who has called JustDial's customer care number "88888 88888". As per his findings, the breach affected the users who dialed the company's customer care number even if they didn't access its mobile app or website.
Inc42 quoted a senior JustDial executive on Monday as saying that the company is investigating the alledged loopholes in its database and that the company's systems are foolproof.
Although the unprotected API is connected to the primary JD database, Rajshekhar revealed that it's an old API endpoint which is not currently being used by the company but left forgotten on the server.
Rajshekhar told The Hacker News that he discovered this unprotected end-point while pentesting the latest APIs in use, which are apparently protected and using authentication measures.
Besides this, Rajshekhar also found a few other old unprotected APIs, one of which could allow anyone to trigger OPT request for any registered phone number, which might not be a serious security issue, but could be used for spamming users and costing the company.
Rajshekhar also claimed that he tried to contact the company to responsibly disclose his findings, but unfortunately failed to find any direct way to contact the company and report the incident.
Another report by news agency IANS said on Wednesday that cyber security experts have raised alarms over an 'advanced phishing attack' on IT bellwether Wipro, saying that no organisation, regardless of its size, is immune from sophisticated cyber criminals in India. The IT giant suffered an attack on its employee database. E-commerce giant Amazon faced a data leak in December last year that exposed some sellers’ private financial information to other users. Amazon India has 150 million registered users and around 4 million merchants sell on its platform.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
