Data Breach Exposes Sensitive Information of JustDial Customers in India
A significant security lapse has been discovered involving JustDial, the largest local search service in India, which has reportedly exposed its customers’ sensitive personal information. This breach stems from an unsecured database that has been leaking real-time data of users who access JustDial’s services through its website, mobile application, or by calling its customer service number.
Founded over two decades ago, JustDial (JD) is a prominent local search engine that connects consumers with local vendors offering a wide range of products and services. As it stands, the breach has compromised a staggering amount of customer data, including names, email addresses, mobile numbers, home addresses, gender, date of birth, photographs, occupations, and workplace details. This wealth of information includes anything users have shared with the platform.
The breach was brought to light by independent security researcher Rajshekhar Rajaharia, who found that JustDial’s publicly accessible API allowed unauthenticated access to sensitive user data, affecting over 100 million users. This alarming gap in security raises questions about the effectiveness of the company’s existing cybersecurity measures, especially as the exposed API has been live since at least mid-2015.
Upon verification of the vulnerability, The Hacker News sought to determine whether the API was drawing from an outdated backup database or the production server. To investigate, Rajaharia used a phone number that was never registered with JustDial and successfully obtained profile details of a caller who had recently provided information to the customer service representative. This indicates the API’s direct connection to real-time data from the production server.
While Rajaharia noted that the API appears to be an older endpoint that is no longer actively used by JustDial, its continued presence on the server poses a serious risk. His discovery came during a penetration test of the platform’s more current APIs, which he found to be adequately secured with authentication protocols.
In addition to this major vulnerability, Rajaharia identified other unsecured APIs, one of which allowed the triggering of one-time password (OTP) requests for any registered phone number. Although this may not represent a critical security risk, it could potentially be exploited for spamming practices, leading to reputational damage for JustDial.
Despite attempts to inform JustDial of the vulnerabilities, Rajaharia expressed frustration over the lack of a direct communication channel to responsibly disclose his findings. In a bid to address this issue, The Hacker News has reached out to multiple email addresses associated with the company to relay details of the breach.
This incident underscores the pressing need for businesses to adopt robust cybersecurity practices and remain vigilant against data breaches. The MITRE ATT&CK framework offers insights into the possible tactics used in such attacks; tactics such as Initial Access and Persistence may have played a role in this incident.
With comprehensive customer data at risk, companies like JustDial must prioritize securing their systems to safeguard the information they hold. As this story develops, additional updates will be provided.
