JustDial which is India’s largest local search service is reported to be leaking personal data of its customers in real-time through an unprotected database. The data breach was revealed by Rajshekhar Rajaharia, an independent security researcher who shared details of how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers.
JustDial (JD) is the oldest and leading local search engine in India which permitted the users to find applicable nearby providers and vendors of products and services quickly and also helps the businesses listed in the JustDial to market their products.
The leaked data includes name, email, mobile number, address, gender, date of birth, photo, occupation, company name etc. of the users registered in JustDial.
The unprotected APIs existed since at least mid-2015, but it is not known whether anyone has misused it to get personal information of JustDial users.
The API is fetching results directly from the production server or from a backup database that might not have information belonging to recently signed-up users. This also includes people who had called the customer care number of JustDial as well.
Even though the unprotected API is connected to the primary JD database, Rajshekhar revealed that it is an old API endpoint which is not currently being used by the company but left forgotten on the server.
The researcher said that he found this unprotected end-point while pentesting the latest APIs in use, which are apparently protected and using authentication measures.
He also found some other old unprotected APIs, one of which would let anyone to trigger OPT request for any registered phone number. This might not be a serios issue but it could be used for spamming users.
Rajshekhar also stated that he tried to contact the company to responsibly disclose his findings, but failed to find any direct way to contact the company and report the incident.