You Are Here: Home » Blog » TrueCaller Vulnerability Allows Changing Users Details

TrueCaller Vulnerability Allows Changing Users Details

Introduction

TrueCaller – worldwide number search and spam filter, a top iPhone application in Kuwait (according to AppStore stats) enables users to search half a billion phone numbers worldwide and much more. I discovered a vulnerability in TrueCaller iPhone Application a month ago and talked about it in brief in this post. The vulnerability was assigned CVE-2012-3344. As outlined in my post, the vulnerability was verified and confirmed by Mr. Alan Mamedi, COO at True Software, the company behind TrueCaller. I didn’t write this post until a fix was implemented and a new version of TrueCaller is available at AppStore due to the criticality of this finding to both, users and the company.

A new version “2.78″ of TrueCaller is now available for download. It fixes the vulnerability. However, old version users are not enforced to upgrade and therefore, if you’re still on a lower version, the vulnerability is still exploitable.

The Vulnerability

The application allows users to search numbers if and only if the user enables Enhanced Search feature. When enabled, the user is warned that his contacts will be shared with other users to search and his address book is sent to TrueCaller database. This process is done by sending the following HTTP “cleartext” request:

post_contact_data=[{"REV":"","FN":"ContactName","TEL_CELL":["MobileNumber"],”TCBID”:”Number“,”FID”:”Number“,”TEL_WORK”:[Number],”TEL_HOME”:[],”CONTACT_ID”:”3619″,”LID”:””}

From a security point of view, this is a bad security behavior and may lead to one of the following situations:

  • Privacy Issues

Although TrueCaller has a strict privacy policy, this behavior allows 3rd parties (i.e. ISP’s, Governments, Sniffers..etc) to intercept database entries and build a copy of TrueCaller’s database.

  • Fake Data

The “cleartext“, unencrypted POST request may be leveraged to fake/change/modify address book entries by repeating the POST request with fake entries in the parameter and fill TrueCaller’s database with fake (rogue) entries.

Here’s an example of the an intercepted request after enabling Enhanced Search feature:

As outlined above, an attacker may submit fake entries to TrueCaller by changing the post parameters above or at least change his/her name to whatever he/she likes.

  • Enabling Enhanced Search features without having to share user’s Address Book

When the user enables “Enhanced Search”, the application sends an encrypted HTTP GET request, followed by the HTTP POST request outlined above. If a malicious user allows the GET request to pass and “drops” the following POST request (which contains his address book), he will be able to enjoy the Enhanced Search feature without sharing his address book, which TrueCaller really do not want to happen.

 

Advisory Timeline

28/Apr/2012 – First contact: Vulnerability details sent
29/Apr/2012 – Response received: Asked for more details
29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller doubts
30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix
01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval
17/May/2012 – New Version Released: Fix approved by Apple and released
01/Jun/2012  - Vulnerability Released

 

 


Comments (22)

  • Siddharth

    Hey I found the same in Android…
    We can enable Enhanced search without giving our contact details… :D

    Reply
    • Siddharth

      although its https, bt whn u decompile the apk file, you get to know how it works…

      So its like with this you can create new users, send fake data, enable enhanced search, all without even havin a mobile… ;)

      Reply
      • Ali

        That’s right. I informed them that they will have to think of server-side protection.

        Reply
        • Siddharth

          Ya but how can they do it :-/ ??
          I mean I too thought of it, Bt I cant think of any kind of security that can confirm if the request is legitimate… It can only be minimized by limiting the no. of requests per user….

          What do u think ??

          Reply
          • Ali

            They can encrypt the post parameters. With that, intercepted requests won’t be readable/modifiable.
            They should also implement a captcha system.

    • Ali

      Interesting. I think folks at True Software already know. :D

      Thanks.

      Reply
  • Siddharth

    Hope they’ll do something about this too ;)
    And the parameters you gave above, truecaller is still workin on that only..
    Mayb they just changed from http to https in iphone..

    Reply
  • Ali

    That’s too bad. According to them, they have applied new server side controls which i’m not aware of.

    Reply
  • Siddharth

    encrypting the parameters wont work.. They are using encrypted parameters now too.. bt with sslstrip, it can be made readable.. :)

    And captcha system doesn’t look nice :D :P

    Reply
    • Ali

      I’m not talking about SSL encryption here, however, client level encryption. The parameter’s value is encrypted by the application itself and sent encrypted with their own encryption algorithm and decrypted at server side.

      Should be a better solution! Don’t you think?

      Reply
  • Qigong w Gdansku

    Thank you very much for that big article

    Reply
  • aaliyah

    dis ws d height…i jst checkd wid ma old nmbr n d name appeard ws ridiculs..pathetic…cn ny1 help me 2 change dat name….PLEZ HELP

    Reply
  • lebanon

    i want my name to be lebanon on true culler

    Reply
  • abdul khalid

    I want to change My name In true caller Id My name is abdul Khalid m 9880270227

    Reply
  • Alok

    i tested that app i stored a fake name and nuber in my cellphone

    next time that name was appearing in my friends cell phone ( using truecaller )
    they sync your contacts details i think
    i removed quickly

    Reply
  • Ketan Oza

    How can I Change my profile ?

    Reply

Leave a Comment

All Rights Reserved. Q8WhiteHat.ORG | © 2012

Scroll to top