The popular call-blocking application Truecaller has recently made it to the news due to a security flaw. A researcher discovered a serious vulnerability in the Truecaller app that could have threatened the security of millions of users.
Indian security researcher Ehraz Ahmed found a critical vulnerability in the Truecaller app. Specifically, the vulnerability allowed a user to plant a URL into the profile picture. Hence, a potential attacker could exploit the flaw to inject a malicious URL to the profile picture. As a result, anyone clicking on the profile would fall a victim to the attack.
According to Forbes, Ahmed told,
The researcher revealed that such attacks could allow the attacker to extract numerous details about the user. This includes fetching the victim’s IP address, user-agent and time without them knowing.
He has also shared a POC of the exploit demonstrating how an attacker could fetch victim’s information.