[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details

To: Kuwait WhiteHat <q8whitehat@xxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Sun, 3 Jun 2012 23:21:14 +0000

You can still submit fake data by just adding fake contacts.  And of course, 
the real privacy issue here is that you are sharing your freaking address book 
with the world.  Frankly, I’m amazed anyone would even think about doing that.

[Description: Description: Description: Description: Description: Description: 
Description: Description: Description: TimSig]

Timothy “Thor”  Mullen
www.hammerofgod.com
Thor’s Microsoft Security 
Bible<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727>


From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Kuwait WhiteHat
Sent: Friday, June 01, 2012 6:30 AM
To: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users 
Details


TrueCaller – worldwide number search and spam filter, a top iPhone application 
in many countries, enables users to search half a billion phone numbers 
worldwide and much more.

The application allows users to search numbers if and only if the user enables 
Enhanced Search feature. When enabled, the user is warned that his contacts 
will be shared with other users to search and his address book is sent to 
TrueCaller database. This process is done by sending the following HTTP 
“cleartext” request:

post_contact_data=[{"REV":"","FN":"ContactName","TEL_CELL":["MobileNumber"],”TCBID”:”Number“,”FID”:”Number“,”TEL_WORK”:[Number],”TEL_HOME”:[],”CONTACT_ID”:”3619″,”LID”:”"}

From a security point of view, this is a bad security behavior and may lead to 
one of the following situations:
·         Privacy Issues
·         Fake Data
·         Enabling Enhanced Search features without having to share user’s 
Address Book



Advisory Timeline

28/Apr/2012 – First contact: Vulnerability details sent
29/Apr/2012 – Response received: Asked for more details
29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller 
doubts
30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix
01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval
17/May/2012 – New Version Released: Fix approved by Apple and released
01/Jun/2012  - Vulnerability Released.

Details and more information here:
http://q8whitehat.org/truecaller-vulnerability-allows-changing-users-name/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details
  - From: Григорий Братислава

References:
- [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details
  - From: Kuwait WhiteHat

Prev by Date: Re: [Full-disclosure] NSA Cyber security program [ maybe off-topic ]
Next by Date: [Full-disclosure] Unauthorized Digital Certificates Could Allow Spoofing
Previous by thread: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details
Next by thread: Re: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details
Index(es):
- Date
- Thread