Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw In Truecaller Android App Exposes Data of Millions of Users (softpedia.com)

Posted by msmash on from the vulnerable-app,-exposable-data dept.

An anonymous reader writes about a newly found vulnerability in Truecaller: Security researchers have found a flaw in Truecaller, a popular service that indexes phone numbers and helps users block spammers and telemarketers. An article on Softpedia explains the vulnerability, "When users first install the Android app, they are prompted to enter their phone number, email address, and other personal details. This information is verified by phone call or SMS message. Upon opening the app for the second time, no login screens are shown. In a proof-of-concept code shared with Softpedia, researchers were able to retrieve personal details for other users based on an IMEI code just by interacting with the app's servers. The servers exposed data such as the user's Truecaller account name, his gender, email address, profile image, home address, and whatever else was stored in his profile. Additionally, the IMEI code also allowed the researchers to modify account settings."

5 of 51 comments (clear)

  1. Feasible but how useful is it? by Z00L00K · · Score: 4, Insightful

    It's feasible, but how useful is it? You can of course loop through IMEI codes, but not every phone have registered so it will be some time before you get matching info.

    But otherwise I agree - it's a weakness that should be protected better. It also highlights that too many services requests too much personal information.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  2. Unfortunately... by KingSkippus · · Score: 4, Insightful

    Unfortunately, it has become such common practice to request "kitchen sink" permissions that it's nigh impossible to find useful apps that don't do so. And the sad fact is that users have become so jaded to it that the money that app makers lose from people who value privacy is less than the money they make from people just clicking through on ever "OK" button they see to get their new shiny.

    I wish I had an answer to this problem, but I don't. People are stupid, and there's not much you can do to fix that. Unfortunately, that means that people like you and I who do care about our privacy pay the price.

    1. Re:Unfortunately... by Nonesuch · · Score: 2

      There's a fairly easy solution to these issues, and there are cyanogenmod / rooted apps that have been available for a long time so it's technically a done deal. Allow the user to control which permissions it allows for each app,

      Fixed in Android 6.0 Marshmallow, this release provides a granular per-app permissions management UI, allowing revocation of permissions from any app.

      --

      I do not deploy Linux. Ever.
  3. Re:There is a lesson here... by bluefoxlucid · · Score: 2

    True Caller is the dialer app on some phones. On other phones, you can replace the default dialer with True Caller. Good luck getting rid of default True Caller; the dialer app isn't in the Android store. You could install another third-party dialer app that sniffs all your dialed numbers.

    --
    Support my political activism on Patreon.
  4. Re:There is a lesson here... by fustakrakich · · Score: 2

    it is bad enough that they know, who calls you — but they have a legitimate need to know.

    They do? Who's "they"? The KGB?

    --
    “He’s not deformed, he’s just drunk!”