India is the second most affected country from cyber attacks and it was exposed again when researcher a Rajshekhar Rajaharia came out with major flaws in the security systems in the listing site JustDial’s database. Known for its hyperlocal search assistance, JustDial had a loophole in the security that revealed sensitive information of over 100million users. The recent response from the company confirmed that the security breach is now fixed.
However, the researcher again discovered a breach in the company’s APIs on April 29 exposing reviewer database of JustDial. In an interview to Inc42, Rajaharia told that the second loophole was fixed on the same day he reported it.
“The API connected to Justdial’s database of reviewer’s has been unprotected since the company’s foundation. This loophole means that reviewer’s name, mobile number, and location were publicly available on the internet,” Rajaharia said while talking to Inc42.
Earlier, a JustDial spokesperson addressed the recent security breaches while talking to Inc42. He told that “All sensitive user information including any financial information as well as any user passwords are protected as per industry practices (further, majority of JD platforms works on OTP-based authentication).” The spokesperson confirmed that all the financial information is double-encrypted on their platforms and is also audited by PCI DSS compliant auditing firm on a regular basis.
JustDial Multiple Security Breach Saga
On April 12, the researcher took it to a Facebook post to reveal about the user-data available publicly from the platform. The Facebook post read- “Dear Justdial Your 100 Million users data including name, email, mobile number, gender, dob, address, photo, company, occupation & other details are publicly accessible.”
While the company first denied any media meetings, they responded when Inc42 reported that recent data breaches have left the 100 million user’s exposed on the website. Rajeev Nair, the senior database architect told Inc42 that “We are still investigating the system for any such alleged loopholes. We have been trying for the past two-three days and as far as we are concerned there is no loophole. Most of our systems and APIs are foolproof and there are security and coding enrichments that we do around it. We will explore further on the front pointed out by security researcher and arrest it as soon as we can, if at all there is any loophole like this.”
On April 18, Justdial stated that news reports about recent security breaches are not real and 100Mn users are safe contrary to the claims in the reports.
However, later that day Rajaharia again talked to media and said that the problem is still not fixed as the company is claiming. He said, “Lots of APIs are still available from which anyone can use to spam or bombard thousands or lakhs of SMSes at once without their (Justdial or its users) permission. These APIs also don’t use any token or any other auth captcha.”
After that Rajaharia again talked to Inc42 and confirmed that the loophole resulting in recent security incident was finally fixed by Justdial on the evening of April 18. However, he also highlighted that the problem can be deeper than visible and Justdial needs to make a strong information security system.