Full Disclosure mailing list archives
Re: TrueCaller Vulnerability Allows Changing Users Details
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Sun, 3 Jun 2012 23:21:14 +0000
You can still submit fake data by just adding fake contacts. And of course, the real privacy issue here is that you are sharing your freaking address book with the world. Frankly, I’m amazed anyone would even think about doing that. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy “Thor” Mullen www.hammerofgod.com Thor’s Microsoft Security Bible<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727> From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Kuwait WhiteHat Sent: Friday, June 01, 2012 6:30 AM To: bugtraq () securityfocus com; full-disclosure () lists grok org uk Subject: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details TrueCaller – worldwide number search and spam filter, a top iPhone application in many countries, enables users to search half a billion phone numbers worldwide and much more. The application allows users to search numbers if and only if the user enables Enhanced Search feature. When enabled, the user is warned that his contacts will be shared with other users to search and his address book is sent to TrueCaller database. This process is done by sending the following HTTP “cleartext” request: post_contact_data=[{"REV":"","FN":"ContactName","TEL_CELL":["MobileNumber"],”TCBID”:”Number“,”FID”:”Number“,”TEL_WORK”:[Number],”TEL_HOME”:[],”CONTACT_ID”:”3619″,”LID”:”"} From a security point of view, this is a bad security behavior and may lead to one of the following situations: · Privacy Issues · Fake Data · Enabling Enhanced Search features without having to share user’s Address Book Advisory Timeline 28/Apr/2012 – First contact: Vulnerability details sent 29/Apr/2012 – Response received: Asked for more details 29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller doubts 30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix 01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval 17/May/2012 – New Version Released: Fix approved by Apple and released 01/Jun/2012 - Vulnerability Released. Details and more information here: http://q8whitehat.org/truecaller-vulnerability-allows-changing-users-name/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- TrueCaller Vulnerability Allows Changing Users Details Kuwait WhiteHat (Jun 01)
- Re: TrueCaller Vulnerability Allows Changing Users Details Thor (Hammer of God) (Jun 03)
- Re: TrueCaller Vulnerability Allows Changing Users Details Григорий Братислава (Jun 04)
- Re: TrueCaller Vulnerability Allows Changing Users Details doc mombasa (Jun 05)
- Re: TrueCaller Vulnerability Allows Changing Users Details Григорий Братислава (Jun 05)
- Re: TrueCaller Vulnerability Allows Changing Users Details Kuwait WhiteHat (Jun 06)
- Re: TrueCaller Vulnerability Allows Changing Users Details Kuwait WhiteHat (Jun 06)
- Re: TrueCaller Vulnerability Allows Changing Users Details doc mombasa (Jun 06)
- Re: TrueCaller Vulnerability Allows Changing Users Details Q8WhiteHat (Jun 06)
- Re: TrueCaller Vulnerability Allows Changing Users Details Григорий Братислава (Jun 04)
- Re: TrueCaller Vulnerability Allows Changing Users Details Thor (Hammer of God) (Jun 03)