Over 100 Million JustDial Users’ Personal Data Found Exposed On the Internet [thehackernews]
by CIRT Team
An unprotected database belonging to JustDial, India’s largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy “88888 88888” customer care number, The Hacker News has learned and independently verified.
Founded over two decades ago, JustDial (JD) is the oldest and leading local search engine in India that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings.
Rajshekhar Rajaharia, an independent security researcher, yesterday contacted The Hacker News and shared details of how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers.
The leaked data includes JustDial users’ name, email, mobile number, address, gender, date of birth, photo, occupation, company name they are working with—basically whatever profile related information a customer ever provided to the company.
Though the unprotected APIs exist since at least mid-2015, it’s not clear if anyone has misused it to gather personal information on JustDial users.
Justdial is Leaking Personal Details Of All Customers
After verifying the leaky endpoint, The Hacker News also wanted to verify if the API is fetching results directly from the production server or from a backup database that might not have information belonging to recently signed-up users.
To find this, I provided Rajshekhar a new phone number that was never before registered with Justdial server, which he confirmed was not listed in the database at that time.
Instead of installing and using the JD app or its website, I then simply called the customer care number and shared a random name and personal details with the executive to learn a few good restaurants in my city.
For more, click here.
Recommended Posts
Training on cybersecurity awareness for Department of Women Affairs
25 Nov 2023 - Articles, English articles, News, News Clipping, Service