Truecaller’s Guardians app fixes bug that let hackers secretly track your family
Guardian app from Truecaller
Prakash noted that the bug was in the app’s “Log in with Truecaller API.” That means an attacker could use your phone number to log in to your account. They could intercept the API’s request, and change the phone number to gain access to anyone’s account.
The account takeover allowed the hacker to add themselves or anyone as a trusted contact to a target’s profile. Plus, the bug allowed the hacker to view your family members’ details including names, birth dates, phone numbers, and live locations.
In a statement, Truecaller said that this bug was a development configuration, but made it to the final roll out by mistake:
In this case, the issue pointed out by Anand was due to a development configuration being rolled out by mistake during the launch phase. Our engineers were already rolling out a fix at the time of his submission to ensure user safety.
Thankfully, no account data was leaked. But for an application that’s focused on privacy, this was a dangerous bug that put user data at high risk. The company should’ve done a more thorough security audit before launching the app.