What is Truecaller?
Truecaller is a smartphone application which has features of caller-identification, call-blocking, flash-messaging, call-recording, Chat & Voice which uses the internet. The service requires users to provide a standard cellular mobile number for registering with the service.
What is the Flaw?
The flaw exists in one of their API, which allows the hacker to place his malicious link as the profile picture.
In my example, I placed a malicious link that fetches the User’s IP Address.
Whenever the user views the attacker’s profile on Truecaller, Either by doing a search or a popup from a call, The custom script gets executed, and the User’s IP gets recorded. And for the user viewing the profile, He won’t notice any difference as the output of this custom script displays an image, so for the user, it will look like any other truecaller profile.
By having the IP address of the user, the hacker can perform attacks like a DDOS, Brute Force And Can also scan for open Ports to exploit further.
How can you reproduce it?
You need the authencation token and a malicious link to add in the profile picture.
With the above information, you need to send a request to their API with your malicious link in the avatarUrl parameter and Authentication Token in the authorization parameter
- The flaw is now fixed & Acknowledged.