Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Tuesday, March 29, 2016 Swati Khandelwal

Truecaller
Security researchers have discovered a remotely exploitable vulnerability in Called ID app "Truecaller" that could expose personal details of Millions of its users.

Truecaller is a popular service that claims to "search and identify any phone number," as well as helps users block incoming calls or SMSes from phone numbers categorized as spammers and telemarketers.

The service has mobile apps for Android, iOS, Windows, Symbian devices and BlackBerry phones.

The vulnerability, discovered by Cheetah Mobile Security Research Lab, affects Truecaller Android version of the app that has been downloaded more than 100 Million times.

The actual problem resides in the way Truecaller identify users in its systems.

While installation, Truecaller Android app asks users to enter their phone number, email address, and other personal details, which is verified by phone call or SMS message. After this, whenever users open the app, no login screen is ever shown again.

This is because Truecaller uses the device's IMEI to authenticate users, according to researchers.
"Anyone gaining the IMEI of a device will be able to get Truecaller users' personal information (including the phone number, home address, mail box, gender, etc.) and tamper app settings without users' consent, exposing them to malicious phishers," Cheetah Mobile wrote in a blog post.
Cheetah Mobile researchers told The Hacker News that they were able to retrieve personal data belonged to other users with the help of exploit code just by interacting with Truecaller's servers.

On a successful exploitation of this flaw, the attackers can:
  • Steal personal information like account name, gender, e-mail, profile pic, home address, and more.
  • Modify a user's application settings.
  • Disable spam blockers.
  • Add to a black list for users.
  • Delete a user's blacklist.
Cheetah Mobile informed Truecaller of this flaw, and the company updated their servers as well as released an upgraded version of its Android app on March 22 in order to prevent abuse exploiting this flaw.

Truecaller said in its blog post published Monday that the vulnerability did not compromise any of its user information.

If you haven’t, download the latest version of Truecaller for your Android devices from the Google Play Store Now!

Wednesday, July 17, 2013 Mohit Kumar

TrueCaller, a popular app built by a Swedish company and world's largest collaborative phone directory compromised by Syrian Electronic Army hackers.
Truecaller was running an outdated version (3.5.1) of blogging software WordPress for its web interface and there are millions of Phonebook records available in their database that were reportedly stolen by hackers, as claimed on their twitter account.
Syrian Electronic Army also claimed that the database contains million of access codes of Facebook, Twitter, Linkedin, Gmail Accounts of different users, that can be used to post update from compromised Accounts.

In total, the hackers claimed to downloaded more than 7 databases fro Truecaller server of 450GB in size. At the time of reporting this news, Truecaller website is still under maintenance and index page saying, "We are doing some upgrades. Thank you for your patience."

SEA also posted a database screenshot on twitter, showing the phonebook list:
In another tweet, they have also leaked the login credentials for the site’s databases:
The application’s database, essentially, is a giant, collective, phone book. This breach in the database of this small Swedish firm compromised a vast amount of private information. So, Stop using such applications who are harvesting your Data and violates your privacy and of your friends.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!