Guardians is a personal safety application that has an emergency button that a user can click and notify his or her selected contacts such as family members of their real-time location during a critical situation.
Made by Truecaller, a caller identification company, “Guardians” launched last week with an upatched critical vulnerability. The Guardian app currently has over 100,000 downloads on Playstore. The flaw has been patched by the company hours after it was pointed out by Anand Prakash, a Bengaluru-based security researcher.
Prakash is a founder of cybersecurity startup Pingsafe. He showed that a potential attacker could log in to a victim’s account by using the attacker’s own phone number. After that, the attacker can take over the account with all data associated with it, including the live locations of the guardians or emergency contacts, the victim’s profile picture, and date of birth.
A basic API error accounted for the vulnerability, as the researcher informed Truecaller on March 4.
Usually, due to such flaws, bad actors can gain access to data hosted in the victim’s cloud and within the software that should not be accessible.
“When it got launched, I immediately started looking through the app. Within a few minutes, I was able to discover this issue on the app. I selected the ‘Login API’ on the app and put in someone else’s phone number and was able to log in to the person’s account. We replicated this issue on other numbers and reported it to Truecaller,” said Prakash.
Truecaller acknowledged the vulnerability and later confirmed the issue had been fixed. They said the issue pointed out by Anand was due to a development configuration error that got into a release by mistake after the launch.
Prakash said the problem can be categorized as an “Insecure Direct Object Reference” vulnerability.
“Companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers’ privacy and lead to companies’ revenue losses,” he stated.
Image: Truecaller