JustDial bug exposes data of over 156 million accounts in India

JustDial, an Indian local search app, has been found to be affected by a bug, which allowed hackers access to the accounts of any of its 156 million users in India. The bug reportedly affected JustDial web, mobile website, app and voice platforms.

Security researcher Ehraz Ahmed first spotted the security flaw, which was found in JustDial's Register API that is used for sign-ups. MoneyControl was first to report the issue.

Ahmed shared a video on YouTube which shows how a hacker can use any JustDial user's phone number as user name and gain access to the account through the flaw. He also found that the bug even allowed hackers to change account details for JustDial's payment option  JD Pay — which could enable them to redirect all the money that is in the account. Notably, though, the flaw could not allow them to send any money since it requires an additional PIN.

JustDial acknowledges the bug in its app, however, according to them, there has been no loss of data or money, that has been reported so far. JustDial also confirmed that the bug has been fixed.

JustDial said in a statement, “We at JustDial take security seriously. There was a bug in one of our APIs which could potentially be accessed by an expert hacker. This bug has been fixed. We work with various security researchers to strengthen our platform and would like to thank Ehraz Ahmed for bringing this out to us.”