A new flaw in Truecaller could compromise the account security of millions of users. Discovered by security researcher Ehraz Ahmed, it could allow an attacker to access virtually any Truecaller account. If exploited, it could also allow an attacker to access user accounts on popular third-party apps that use TrueSDK for one-tap signup with Truecaller's phone number verification system. Popular apps like Shopclues, Oyo, Grofers and Myntra use TrueSDK.
Ahmed said the vulnerability was limited to Truecaller's call number verification system that could be exploited by making a spoof call at the time of signing in to a Truecaller account. One could exploit the flaw by simply making a spoof call from a Truecaller verification number onto the phone with Truecaller installed, irrespective of the Truecaller account they may be trying to access at the time of logging in. Ahmed demonstrated the flaw by sending out a few messages on Truecaller Chat from an invalid phone number that used to be Airtel's official prepaid customer care number: 9845098450.
Customer Care - 121/ Toll Free - 198/ Prepaid - 9845098450/ Email - email@example.com/ Website- 4/6— Bharti Airtel India (@Airtel_Presence) October 11, 2017
Ahmed also sent a message from a number that is still supposed to be an official customer care number of Vodafone 4G.
Ahmed uploaded a video demonstrating the Truecaller vulnerability using Airtel's expired prepaid customer care number. You can watch the video below:
In an email statement to Republic World, Truecaller said it investigated the issue with the security researcher and the flaw was not reproducible.
"The security researcher reached out to us about a proclaimed flaw in our call verification process. We have investigated the issue together with the security researcher and the flaw as claimed by the researcher was not reproducible. We thank the security researcher for bringing this to our attention and collaborating with us. As a responsible organisation, we take such matters seriously. We assure our users that Truecaller is perfectly safe to use."
Ahmed explained the issue did not pose any danger to Truecaller UPI payment method. For UPI sign up, an SMS is sent from the actual number to the bank. However, since attackers couldn't bypass OTP verification unlike call verification, it did not allow unauthorised signup to Truecaller's UPI payments.
Truecaller has more than 100 million active users in India.