Indian Search Service Justdial Inadvertently Exposed Records of a 100 Million Users

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

Once again, the data of millions of customers was threatened following a security lapse. This time, the affected firm appears to be Justdial – an Indian search service. Due to an unprotected database (as discovered), the firm inadvertently leaked details of 100 million users.

Justdial Exposed Records Of 100 Million Users

Recently, a researcher found a leaky database exposing 100 million users’ records. The records allegedly belong to an Indian local search service Justdial. As discovered, the firm inadvertently exposed user records due to a leaky API endpoint relating to their database.

The researcher Rajshekhar Rajaharia first noticed this leakage, who then disclosed it in his tweet. Reportedly, he found publicly accessible 100 million records of Justdial users including their explicit personal details.

However, as he couldn’t successfully contact the firm regarding this matter, he approached a third party. They also independently verified his findings and confirmed the leaky API endpoint not only exposed previous records but also fetched fresh results. The incident hence affected all those users as well who ever called on Justdial customer service number 88888 88888.

According to the researcher Rajaharia, the leaky endpoint isn’t a recent one, rather an old API endpoint not currently in use. He came across this API endpoint while pentesting the recent APIs.  The researcher also found some other old unprotected API.

“Rajshekhar also found a few other old unprotected APIs, one of which could allow anyone to trigger OPT request for any registered phone number, which might not be a serious security issue, but could be used for spamming users and costing the company.”

Justdial’s Denial Of Breach

Although Rajshekhar Rajaharia made clear observations regarding data exposure, Justdial categorically denied any breach. As reported by ETNow, the company’s CFO Abhishek Bansal said otherwise.

They went on to say:

Nonetheless, the researchers maintain their stance of not reporting a breach, rather a vulnerable database exposing user records.

Let’s see what more we hear from the two sides in this regard.

Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!