Truecaller Fixes Flaw That Could Let Attackers Use Malicious Links to Harvest IP Addresses, Other User Data

Truecaller Fixes Flaw That Could Let Attackers Use Malicious Links to Harvest IP Addresses, Other User Data

Truecaller has over 150 million daily active users globally

  • Truecaller acknowledged the vulnerability and fixed the flaw
  • The flaw could let attackers fetch both IPv4 and IPv6 based IP addresses
  • Truecaller also revealed its plans to launch a bug bounty programme

Truecaller has fixed a flaw that could allow attackers to use the service’s API to place a malicious link as the URL for their profile picture. The malicious link could be used to fetch IP addresses of other Truecaller users and perform attacks such as brute-force and distributed denial of service (DDoS), based on the obtained information. Further, the flaw could potentially enable the attackers to harvest IP addresses of users and scan for open ports. To exploit the flaw and attack a Truecaller user, a malicious party just had to lure a user to an infected profile.

The flaw existed in one of the APIs of Truecaller that allowed attackers to place their malicious links as the URL for a profile picture. Bengaluru-based security researcher Ehraz Ahmed discovered the Truecaller flaw and showed a proof-of-concept (PoC) to Gadgets 360.  Upon confirming the exploit was real, Gadgets 360 brought the flaw to Truecaller’s attention and connected the company with the researcher. We then responsibly waited until the company had fixed the issue before publishing this article.

Attackers leveraging the flaw could fetch the IP addresses of users and silently obtain their location as well as device details. Because it was an API flaw, it could be accessed through all versions of Truecaller, including Android, iOS, and the Web.

Once IP address and other user data have been obtained through the flaw, an attacker could ascertain location details to track users viewing their profiles. The vulnerability could also be exploited to scan for open ports after accessing IP addresses to perform brute-force and DDoS attacks.

“Whenever a user views the attacker’s profile on Truecaller — either by doing a search or tapping the pop-up from a call, the custom script gets executed and user’s IP address gets recorded,” explains Ahmed, adding that the user wouldn’t notice any difference as the profile URL is not displayed publicly.

To reproduce the flaw, Ahmed developed the PoC showing the process of recording IP addresses of users in a log file. The custom PHP script used by the security researcher worked with both IPv4 and IPv6 based IP addresses. Gadgets 360 was also able to verify the scope of the vulnerability by testing it through multiple Android and iPhone models. The custom script was able to obtain IP addresses of the devices alongside highlighting their model numbers and software versions.

In case if a user is searching for a Truecaller profile from a desktop, the flaw could let an attacker know about browser details. To showcase the extent of the flaw existing in Truecaller, Ahmed has created a video and published a case study.