TrueCaller Vulnerability Allows Changing Users Details
TrueCaller – worldwide number search and spam filter, a top iPhone application in Kuwait (according to AppStore stats) enables users to search half a billion phone numbers worldwide and much more. I discovered a vulnerability in TrueCaller iPhone Application a month ago and talked about it in brief in this post. The vulnerability was assigned CVE-2012-3344. As outlined in my post, the vulnerability was verified and confirmed by Mr. Alan Mamedi, COO at True Software, the company behind TrueCaller. I didn’t write this post until a fix was implemented and a new version of TrueCaller is available at AppStore due to the criticality of this finding to both, users and the company.
A new version “2.78″ of TrueCaller is now available for download. It fixes the vulnerability. However, old version users are not enforced to upgrade and therefore, if you’re still on a lower version, the vulnerability is still exploitable.
The application allows users to search numbers if and only if the user enables Enhanced Search feature. When enabled, the user is warned that his contacts will be shared with other users to search and his address book is sent to TrueCaller database. This process is done by sending the following HTTP “cleartext” request:
From a security point of view, this is a bad security behavior and may lead to one of the following situations:
- Privacy Issues
- Fake Data
The “cleartext“, unencrypted POST request may be leveraged to fake/change/modify address book entries by repeating the POST request with fake entries in the parameter and fill TrueCaller’s database with fake (rogue) entries.
Here’s an example of the an intercepted request after enabling Enhanced Search feature:
As outlined above, an attacker may submit fake entries to TrueCaller by changing the post parameters above or at least change his/her name to whatever he/she likes.
- Enabling Enhanced Search features without having to share user’s Address Book
When the user enables “Enhanced Search”, the application sends an encrypted HTTP GET request, followed by the HTTP POST request outlined above. If a malicious user allows the GET request to pass and “drops” the following POST request (which contains his address book), he will be able to enjoy the Enhanced Search feature without sharing his address book, which TrueCaller really do not want to happen.
28/Apr/2012 – First contact: Vulnerability details sent
29/Apr/2012 – Response received: Asked for more details
29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller doubts
30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix
01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval
17/May/2012 – New Version Released: Fix approved by Apple and released
01/Jun/2012 - Vulnerability Released