However, at the launch, the app had a major bug that let hackers take full control over users’ accounts. Security researcher Anand Prakash, who found the vulnerability, informed Truecaller on Thursday, and it was fixed the same day. Truecaller launched the Guardians app with the intent to share your information with family members and friends for staying safe while traveling. Through the app, you could share your live location,and your phone’s battery life and network status with your trusted contacts. You could also let your family know you need assistance by pressing an ’emergency’ button. Prakash noted that the bug was in the app’s “Log in with Truecaller API.” That means an attacker could use your phone number to log in to your account. They could intercept the API’s request, and change the phone number to gain access to anyone’s account. The account takeover allowed the hacker to add themselves or anyone as a trusted contact to a target’s profile. Plus, the bug allowed the hacker to view your family members’ details including names, birth dates, phone numbers, and live locations. In a statement, Truecaller said that this bug was a development configuration, but made it to the final roll out by mistake: Thankfully, no account data was leaked. But for an application that’s focused on privacy, this was a dangerous bug that put user data at high risk. The company should’ve done a more thorough security audit before launching the app.
