Caller identification company Truecaller<\/a>’s ‘Guardians<\/a>’ application launched last week that lets users share their live location with selected guardians on their phone book had a major vulnerability, which was fixed by the company hours after it was pointed out by Bengaluru-based security researcher Anand Prakash. 人身安全的应用程序包含一个紧急按钮,通知他或她选择的联系人,如家庭成员,他们的实时位置信息在点击一个按钮在一场危机中。 调用者标识公司Truecaller“年代”监护人“上周启动应用程序,用户可以分享他们的生活位置选择监护人电话簿上有一个主要的弱点,这是公司固定的小时后被Bengaluru-based指出安全研究员阿南德•普拉卡什。
The ‘personal safety<\/a>’ application includes an emergency button that notifies his or her selected contacts such as family members, with their real-time location details at the tap of a button during a crisis.
Prakash, founder of cybersecurity startup Pingsafe noted that it was possible for a potential attacker to login into a victim’s account by just using their phone number. Following this, the attacker was able to take full control over the account and data associated with it, including the live locations of the guardians or emergency contacts, the victim's date of birth and profile picture he said.
The Guardian app was launched on March 3 and currently has over 100,000 downloads on Playstore.
The researcher informed Truecaller on March 4, and it was fixed on the same day. The vulnerability was possible due to a basic API error he said. When there are problems with the application programming interfaces (APIs) it is possible to access data within websites and software that are not normally openly accessible.
“When it got launched, I immediately started looking through the app. Within a few minutes, I was able to discover this issue on the app. I selected the ‘Login API’ on the app and put in someone else’s phone number and was able to log in to the person’s account. We replicated this issue on other numbers and reported it to Truecaller. They acknowledged it and we got a confirmation saying the issue had been fixed,” said Prakash.
Prakash categorised the problem as an \"Insecure Direct Object Reference\" vulnerability in technology parlance.
“Companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers' privacy and lead to companies' revenue losses,” he said.
In response to ET's queries, a spokesperson for Truecaller confirmed that the vulnerability was fixed.
\"We care a lot about security at Guardians and we welcome any comments or suggestions for improvements. On occasion, security researchers like Anand Prakash reach out to us if they spot something amiss and we make sure to verify every such submission very carefully. In this case, the issue pointed out by Anand was due to a development configuration being rolled out by mistake during the launch phase.\"
The spokesperson added, \"Our engineers were already rolling out a fix at the time of his submission to ensure user safety. We routinely conduct extensive testing to make sure our users are safe and their data secured, however, we would also like to thank Anand for reaching out proactively.\"
<\/p><\/body>","next_sibling":[{"msid":81392734,"title":"Google to stop targeting online ads based on browsing history","entity_type":"ARTICLE","link":"\/news\/google-to-stop-targeting-online-ads-based-on-browsing-history\/81392734","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[{"msid":"81392789","title":"mobile-app agencies","entity_type":"IMAGES","seopath":"tech\/technology\/truecallers-guardians-app-was-leaking-live-location-details-issue-fixed\/mobile-app-agencies","category_name":"Truecaller's Guardians App was leaking live location details, issue fixed","synopsis":false,"thumb":"https:\/\/etimg.etb2bimg.com\/thumb\/img-size-413372\/81392789.cms?width=150&height=112","link":"\/image\/tech\/technology\/truecallers-guardians-app-was-leaking-live-location-details-issue-fixed\/mobile-app-agencies\/81392789"}],"msid":81393077,"entity_type":"ARTICLE","title":"Truecaller's Guardians App was leaking live location details, issue fixed","synopsis":"The \u2018personal safety\u2019 application includes an emergency button that notifies his or her selected contacts such as family members, with their real-time location details at the tap of a button during a crisis.","titleseo":"telecomnews\/truecallers-guardians-app-was-leaking-live-location-details-issue-fixed","status":"ACTIVE","authors":[{"author_name":"Anandi Chandrashekhar","author_link":"\/author\/479245519\/anandi-chandrashekhar","author_image":"https:\/\/etimg.etb2bimg.com\/authorthumb\/479245519.cms?width=100&height=100","author_additional":{"thumbsize":true,"msid":479245519,"author_name":"Anandi Chandrashekhar","author_seo_name":"anandi-chandrashekhar","designation":"Senior Correspondent","agency":false}}],"Alttitle":{"minfo":""},"artag":"ET Bureau","artdate":"2021-03-08 16:37:55","lastupd":"2021-03-08 16:38:15","breadcrumbTags":["Truecaller app","truecaller guardians","TrueCaller","Truecaller Guardians Application","personal safety","Guardians Application","Data privacy","Guardians","MVAS\/Apps","Apps"],"secinfo":{"seolocation":"telecomnews\/truecallers-guardians-app-was-leaking-live-location-details-issue-fixed"}}" data-authors="[" anandi chandrashekhar"]" data-category-name="" data-category_id="" data-date="2021-03-08" data-index="article_1">
Truecaller的监护人应用住泄漏位置的细节,问题解决
“个人安全“应用程序包含一个紧急按钮,通知他或她选择的联系人,如家庭成员,他们的实时位置信息在点击一个按钮在一场危机中。
网络安全启动Pingsafe创始人普拉卡什说,这是一个潜在的攻击者可以登录到受害者的账户通过使用他们的电话号码。这之后,攻击者能够充分控制相关联的帐户和数据,包括现场监护人的位置或紧急联系人,受害者的出生日期和概要文件图片他说。
研究者告诉Truecaller 3月4日,这是固定在同一天。脆弱性是可能由于基本API错误他说。当有问题的应用程序编程接口(api)可以访问数据在网站和软件通常不公开访问。
“发射的时候,我立即开始通过应用。在几分钟内,我就能发现这个问题在app。我选择的登录API的应用程序,把别人的电话号码和能够登录到个人账户。我们复制这个问题在其他数字和报道Truecaller。他们承认它,我们得到一个确认说这个问题已经固定的,”普拉卡什说。
普拉卡什问题归类为“不安全的直接对象引用”漏洞在技术的说法。
“企业往往错过这样的基本问题即使在严格的安全评估。这些问题的影响是巨大的和影响客户的隐私,导致公司的收入损失,”他说。
回应等的查询,Truecaller发言人证实,脆弱性是固定的。
“我们非常关心安全的守护者,我们欢迎任何意见或改进的建议。有时,安全研究人员就像Anand Prakash接触如果他们发现出了差错,我们一定要仔细核实每一个这样的提交。在这种情况下,这一问题指出通过Anand是由于开发配置被错误在发射阶段推出。”
该发言人补充道,“我们的工程师已经推出一个修复的时候提交,以确保用户的安全。我们经常进行广泛测试,以确保我们的用户及其数据安全是安全的,但是,我们还要感谢Anand主动伸出援手。”
Caller identification company Truecaller<\/a>’s ‘Guardians<\/a>’ application launched last week that lets users share their live location with selected guardians on their phone book had a major vulnerability, which was fixed by the company hours after it was pointed out by Bengaluru-based security researcher Anand Prakash.
The ‘personal safety<\/a>’ application includes an emergency button that notifies his or her selected contacts such as family members, with their real-time location details at the tap of a button during a crisis.
Prakash, founder of cybersecurity startup Pingsafe noted that it was possible for a potential attacker to login into a victim’s account by just using their phone number. Following this, the attacker was able to take full control over the account and data associated with it, including the live locations of the guardians or emergency contacts, the victim's date of birth and profile picture he said.
The Guardian app was launched on March 3 and currently has over 100,000 downloads on Playstore.
The researcher informed Truecaller on March 4, and it was fixed on the same day. The vulnerability was possible due to a basic API error he said. When there are problems with the application programming interfaces (APIs) it is possible to access data within websites and software that are not normally openly accessible.
“When it got launched, I immediately started looking through the app. Within a few minutes, I was able to discover this issue on the app. I selected the ‘Login API’ on the app and put in someone else’s phone number and was able to log in to the person’s account. We replicated this issue on other numbers and reported it to Truecaller. They acknowledged it and we got a confirmation saying the issue had been fixed,” said Prakash.
Prakash categorised the problem as an \"Insecure Direct Object Reference\" vulnerability in technology parlance.
“Companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers' privacy and lead to companies' revenue losses,” he said.
In response to ET's queries, a spokesperson for Truecaller confirmed that the vulnerability was fixed.
\"We care a lot about security at Guardians and we welcome any comments or suggestions for improvements. On occasion, security researchers like Anand Prakash reach out to us if they spot something amiss and we make sure to verify every such submission very carefully. In this case, the issue pointed out by Anand was due to a development configuration being rolled out by mistake during the launch phase.\"
The spokesperson added, \"Our engineers were already rolling out a fix at the time of his submission to ensure user safety. We routinely conduct extensive testing to make sure our users are safe and their data secured, however, we would also like to thank Anand for reaching out proactively.\"
<\/p><\/body>","next_sibling":[{"msid":81392734,"title":"Google to stop targeting online ads based on browsing history","entity_type":"ARTICLE","link":"\/news\/google-to-stop-targeting-online-ads-based-on-browsing-history\/81392734","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[{"msid":"81392789","title":"mobile-app agencies","entity_type":"IMAGES","seopath":"tech\/technology\/truecallers-guardians-app-was-leaking-live-location-details-issue-fixed\/mobile-app-agencies","category_name":"Truecaller's Guardians App was leaking live location details, issue fixed","synopsis":false,"thumb":"https:\/\/etimg.etb2bimg.com\/thumb\/img-size-413372\/81392789.cms?width=150&height=112","link":"\/image\/tech\/technology\/truecallers-guardians-app-was-leaking-live-location-details-issue-fixed\/mobile-app-agencies\/81392789"}],"msid":81393077,"entity_type":"ARTICLE","title":"Truecaller's Guardians App was leaking live location details, issue fixed","synopsis":"The \u2018personal safety\u2019 application includes an emergency button that notifies his or her selected contacts such as family members, with their real-time location details at the tap of a button during a crisis.","titleseo":"telecomnews\/truecallers-guardians-app-was-leaking-live-location-details-issue-fixed","status":"ACTIVE","authors":[{"author_name":"Anandi Chandrashekhar","author_link":"\/author\/479245519\/anandi-chandrashekhar","author_image":"https:\/\/etimg.etb2bimg.com\/authorthumb\/479245519.cms?width=100&height=100","author_additional":{"thumbsize":true,"msid":479245519,"author_name":"Anandi Chandrashekhar","author_seo_name":"anandi-chandrashekhar","designation":"Senior Correspondent","agency":false}}],"Alttitle":{"minfo":""},"artag":"ET Bureau","artdate":"2021-03-08 16:37:55","lastupd":"2021-03-08 16:38:15","breadcrumbTags":["Truecaller app","truecaller guardians","TrueCaller","Truecaller Guardians Application","personal safety","Guardians Application","Data privacy","Guardians","MVAS\/Apps","Apps"],"secinfo":{"seolocation":"telecomnews\/truecallers-guardians-app-was-leaking-live-location-details-issue-fixed"}}" data-news_link="//www.iser-br.com/news/truecallers-guardians-app-was-leaking-live-location-details-issue-fixed/81393077">
评论
现在评论 阅读评论(1)所有评论
找到这个评论进攻?
下面选择你的理由并单击submit按钮。这将提醒我们的版主采取行动