Last week, caller ID company Truecaller launched an app called the Guardians app, designed to share your location and other vital information with your family for safety reasons.
However, upon launch, the app had a major bug that allowed hackers to take full control of the accounts. Security researcher Anand Prakash, who discovered the vulnerability, informed Truecaller on Thursday, and the issue was corrected the same day.
Truecaller launched the Guardians app with the intention of sharing your information with family and friends for your safety. Through the app, you can share your live location and phone statistics with your trusted contacts. You can also press an emergency button to let your family know you might need help.
Prakash noted that the bug was in the “Connect with Truecaller API” section of the app. This means that an attacker could use your phone number to log into your account. They could intercept the API request and change the phone number to access anyone’s account.
The account takeover allowed the hacker to add himself or anyone as a trusted contact to someone’s profile. Additionally, the bug allowed the hacker to see details of your family members, including names, birthdates, numbers, and live locations.
Fortunately, no account data was disclosed. But for a privacy-focused app, this is a dangerous bug that puts user data at high risk. The company should have performed a thorough security audit before launching the app.