Researcher: JustDial Had New User Data LeakBut Search Engine Company Says Issue Has Been Resolved
JustDial had a second major leak of user information, claims an independent security researcher who earlier this month said he discovered a security loophole in the Mumbai-based hyperlocal search engine. But the company says it has fixed this second vulnerability.
In his original revelation on April 17, the researcher, Rajshekhar Rajaharia, said JustDial was leaking through four unprotected application user interfaces information on 100 million users, including names, emails, mobile numbers, addresses, gender, dates of birth, photos, occupations and names of companies where they work.
A few days after that announcement, JustDial said in a statement said that the vulnerability was fixed. "The older version of our apps, which currently caters to only a very small fraction of our users, were using certain APIs by which basis certain basic user details were accessible," the company said.
JustDial also said it had implemented adequate encryption. "While there are regular audits conducted, we have also initiated an independent tech audit to identify any existing vulnerabilities," JustDial said.
In recent days, however, Rajaharia claimed that user IDs and mobile phone numbers for those users who serve as reviewers for the platform were publicly accessible due to another API issue.
"The API which is related to their current version of website is leaking reviewers' mobile numbers," he said when announcing the vulnerability. "This is a new issue but has similarities to their older vulnerability. This data can be accessed by anyone since JustDial does not authenticate its APIs and neither is the data encrypted," Rajaharia said. JustDial does not provide any option for users to delete their profile, he claimed.
JustDial says it adds about 134 million unique users every quarter.
"Interestingly, whosoever calls JustDial is asked to review their service once the call is over," the researcher said. "So one can imagine the number of users whose data is at risk."
Rajaharia said every JustDial reviewer gets a unique data review ID. "Using a simple programming code, it is very easy to fetch these unique IDs of users. Then using these IDs, one can download mobile numbers of users, which can be used in different forms to commit a fraud," he said.
Rajaharia claimed that he reached out to JustDial but did not get any response. In the latest development, however, JustDial has said it has fixed the issue.
Back to Basics
Dinesh O. Bareja, COO at Open Security Alliance, observes: "Most apps and search engines have a tendency to collect unnecessary user information, which adds little value to their business but falls under sensitive personal information. Either companies must follow strong encryption standards or they must stop collecting excess data."
Rajaharia says applying basic security principles could help avoid API-related data leak issues.
"They should rescan all of their programming codes and APIs and check whether everything is protected and secured," he says. "They must also have a number or email ID where someone can report data security related issues easily rather than hunting for one. Many companies, like Google, Facebook and Microsoft, are doing that."