A security Researcher Ali AlHabshi,from Kuwait WhiteHat, has discovered a vulnerability in TrueCaller iPhone App that allows hackers to change user details.
He report about the vulnerability to True Software. True Software confirmed the vulnerability and released new version '2.78' of TrueCaller to fix the vulnerability.
The Vulnerability Details:
The application allows users to search numbers if and only if the user enables Enhanced Search feature. When enabled, the user is warned that his contacts will be shared with other users to search and his address book is sent to TrueCaller database.
This process is done by sending the following HTTP “cleartext” request:
From a security point of view, this is a bad security behavior and may lead to one of the following situations:
Privacy Issues
Although TrueCaller has a strict privacy policy, this behavior allows 3rd parties (i.e. ISP’s, Governments, Sniffers..etc) to intercept database entries and build a copy of TrueCaller’s database.
Fake Data
The “cleartext“, unencrypted POST request may be leveraged to fake/change/modify address book entries by repeating the POST request with fake entries in the parameter and fill TrueCaller’s database with fake (rogue) entries.
Here’s an example of the an intercepted request after enabling Enhanced Search feature:
Enabling Enhanced Search features without having to share user’s Address Book:
When the user enables “Enhanced Search”, the application sends an encrypted HTTP GET request, followed by the HTTP POST request outlined above. If a malicious user allows the GET request to pass and “drops” the following POST request (which contains his address book), he will be able to enjoy the Enhanced Search feature without sharing his address book, which TrueCaller really do not want to happen.
Advisory Timeline
28/Apr/2012 – First contact: Vulnerability details sent
29/Apr/2012 – Response received: Asked for more details
29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller doubts
30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix
01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval
17/May/2012 – New Version Released: Fix approved by Apple and released
01/Jun/2012 - Vulnerability Released.
He report about the vulnerability to True Software. True Software confirmed the vulnerability and released new version '2.78' of TrueCaller to fix the vulnerability.
The Vulnerability Details:
The application allows users to search numbers if and only if the user enables Enhanced Search feature. When enabled, the user is warned that his contacts will be shared with other users to search and his address book is sent to TrueCaller database.
This process is done by sending the following HTTP “cleartext” request:
post_contact_data=[{"REV":"","FN":"ContactName","TEL_CELL":["MobileNumber"],”TCBID”:”Number“,”FID”:”Number“,”TEL_WORK”:[Number],”TEL_HOME”:[],”CONTACT_ID”:”3619″,”LID”:”"}
From a security point of view, this is a bad security behavior and may lead to one of the following situations:
Privacy Issues
Although TrueCaller has a strict privacy policy, this behavior allows 3rd parties (i.e. ISP’s, Governments, Sniffers..etc) to intercept database entries and build a copy of TrueCaller’s database.
Fake Data
The “cleartext“, unencrypted POST request may be leveraged to fake/change/modify address book entries by repeating the POST request with fake entries in the parameter and fill TrueCaller’s database with fake (rogue) entries.
Here’s an example of the an intercepted request after enabling Enhanced Search feature:
Enabling Enhanced Search features without having to share user’s Address Book:
When the user enables “Enhanced Search”, the application sends an encrypted HTTP GET request, followed by the HTTP POST request outlined above. If a malicious user allows the GET request to pass and “drops” the following POST request (which contains his address book), he will be able to enjoy the Enhanced Search feature without sharing his address book, which TrueCaller really do not want to happen.
Advisory Timeline
28/Apr/2012 – First contact: Vulnerability details sent
29/Apr/2012 – Response received: Asked for more details
29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller doubts
30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix
01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval
17/May/2012 – New Version Released: Fix approved by Apple and released
01/Jun/2012 - Vulnerability Released.