Truecaller recently released the Guardians app, a security tool that allows users to permanently share their location in real time or live with their selected contacts. The app is intended to help users with security so that those they trust will have their whereabouts at any time.
However, a recent report from PingSafe suggested that an attacker could use the Truecaller Guardians app to track someone’s live location, along with other details like profile photo, date of birth, and emergency contacts. The report indicates that the vulnerability existed in the “Login with Truecaller” option in the Guardian application. Truecaller has fixed the problem, the report adds.
“By intercepting the login API request, the attacker could have changed the parameter” number “to the victim’s number while keeping the value of all other parameters and resending the API request. The API responded with a valid access token from the victim in the response headers, “the report shared.
When the attack was successful, the attacker would log into the victim’s account and have access to all the victim’s information. The attacker could add more “trusted” members to the account, who would now have access to the victim’s location, along with other contacts that the victim actually selected.
Truecaller has fixed the vulnerability
The report adds that the problem was reported to Truecaller on March 4 and the company acknowledged the flaw on the same day. By March 6, the Truecaller team had fixed the issue and this attack method should no longer work.
“Companies tend to miss such critical issues even after rigorous security assessments. The repercussions of these problems are enormous and affect the privacy of the clients and cause losses of income of the companies ”, adds the report.