Application Security , DDoS Protection , Next-Generation Technologies & Secure Development

Researcher: JustDial Leaks Information on 100 Million Users

Unprotected APIs Apparently Expose a Wealth of Data
Researcher: JustDial Leaks Information on 100 Million Users

Four unprotected application program interfaces for JustDial, a local search engine in India, are leaking the personally identifiable information of its more than 100 million customers in real time, says an independent security researcher who discovered the vulnerability.

See Also: A Guide to Modern API Security

"The information of every customer who has ever availed the service of JustDial through its website or app is now publicly accessible," says Rajshekhar Rajaharia, who discovered the leak. "In fact, information of people who have never registered but have only called the company's helpline is also available."

The leaked data, Rajaharia says, includes JustDial users' names, emails, mobile numbers, addresses, gender, dates of birth, photos, occupations and names of companies where they work.

"Though the unprotected APIs have existed since at least mid-2015, it's not clear if anyone has misused it to gather personal information on JustDial users," Rajaharia adds.

The researcher claims he contacted JustDial last week, but could not reach appropriate staff members. "It was then I wrote the about the vulnerability on Facebook," he says. Rajaharia says the security team of JustDial finally got in touch with him Wednesday and reported that it's working on resolving the issue.

The Problem Area

The researcher says he discovered the data leak while pen testing JustDials' new APIs. "The new APIs are protected and use multifactor authentication. I found four old APIs with leaky endpoints," he says. "They were all returning the same data but created in different years."

Mohit Kumar, founder of HackerNews, a hacking news source website, writes in a blog that he also confirmed the data leak.

"I wanted to verify if user information is getting leaked in real time," he informs ISMG. "I provided the researcher a new phone number that was never before registered with JustDial server. I then simply called the customer care number and shared a random name and personal details with the executive. Immediately after completing the call, Rajaharia sent me the profile details I shared with the JustDial executive associated."

Below is a screenshot of the kind of information getting leaked.

User information that can be accessed (Source: Rajshekhar Rajaharia)

Fixing the Problem

Security experts say the obvious fix to the data leak is to delete the old APIs, which could serve as a backdoor for hackers.

"Considering that JustDial is one of India largest local search engines, the database is huge. This is pure callousness," Dinesh O. Bareja, COO at Open Security Alliance, says of the data leak tied to the APIs.

JustDial did not immediately reply to a request for comment.

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.