PaulDotCom mailing list archives
TrueCaller Vulnerability Allows Changing Users Details
From: Kuwait WhiteHat <q8whitehat () gmail com>
Date: Fri, 1 Jun 2012 23:30:16 +0300
Hi, I wanted to share this vulnerability with the pauldotcom community! TrueCaller – worldwide number search and spam filter, a top iPhone application in many countries, enables users to search half a billion phone numbers worldwide and much more. The application allows users to search numbers if and only if the user enables *Enhanced Search* feature. When enabled, the user is warned that his contacts will be shared with other users to search and his address book is sent to TrueCaller database. This process is done by sending the following HTTP “*cleartext*” request: post_contact_data=[{"REV":"","FN":"ContactName","TEL_CELL":["MobileNumber "],”TCBID”:”Number“,”FID”:”Number “,”TEL_WORK”:[Number],”TEL_HOME”:[],”CONTACT_ID”:”3619″,”LID”:”"}
From a security point of view, this is a bad security behavior and may lead
to one of the following situations: - *Privacy Issues* - *Fake Data* - *Enabling Enhanced Search features without having to share user’s Address Book* * * *TrueCaller confirmed the vulnerability and a fix was released. Details of the vulnerability can be found here:* http://q8whitehat.org/truecaller-vulnerability-allows-changing-users-name/ * * *Advisory Timeline* 28/Apr/2012 – First contact: Vulnerability details sent 29/Apr/2012 – Response received: Asked for more details 29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller doubts 30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix 01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval 17/May/2012 – New Version Released: Fix approved by Apple and released 01/Jun/2012 - Vulnerability Released.
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- TrueCaller Vulnerability Allows Changing Users Details Kuwait WhiteHat (Jun 01)