Truecaller explains the bug that automatically generated UPI accounts of its users in India

Truecaller Pay bug which signed up on its payment service without permission has now been taken care of. Truecaller explains the reason behind the vulnerability.

By: MARCIA SEKHOSE
| Updated on: Aug 20 2022, 16:09 IST
Truecaller Pay bug.
Truecaller Pay bug. (Shutterstock)

Truecaller last week received major backlash in India after a bug in its payments service automatically generated UPI accounts of thousands of users. Truecaller users took to social networking platforms to complain that the app had created their accounts without their permission.

This bug affected Truecaller users on Android who updated the app to its latest version. Users found out through an SMS they received saying that their registration for UPI has started. The process couldn't be completed since the final step requires the user to enter a UPI PIN. Truecaller users took to Twitter and Google Play Store complaining about the same.

You may be interested in

MobilesTablets Laptops
7% OFF
Apple iPhone 15 Pro Max
  • Black Titanium
  • 8 GB RAM
  • 256 GB Storage
28% OFF
Samsung Galaxy S23 Ultra 5G
  • Green
  • 12 GB RAM
  • 256 GB Storage
Google Pixel 8 Pro
  • Obsidian
  • 12 GB RAM
  • 128 GB Storage
Apple iPhone 15 Plus
  • Black
  • 6 GB RAM
  • 128 GB Storage

In a detailed email, Truecaller has addressed the vulnerability and how it happened. The company said that the API for registered Truecaller Pay users affected those who are not on the payments service yet.

Also read
Looking for a smartphone? To check mobile finder click here.

"As a consequence, the payments backend responded with an error code signalling that the users have insufficient credentials to perform this request (that's what that odd SMS message was about). Under normal circumstances this would be the correct course of action, since this error would have occurred only for a pre-registered user. This triggered a credential refresh which would eventually cause the UPI registration to be triggered inadvertently," Truecaller explained.

Truecaller said 0.12% of users were affected by the Truecaller Pay bug. The created Truecaller accounts were also deleted soon after the incident was discovered. The company further explained that since the UPI setup was not completed there was no data or finances of users were affected. Following the bug discovery Truecaller patched the bug and there's an update for the app as well.

In addition to this, Truecaller also refuted reports of the company reading user SMSs to create a credit scoring. This is with regards to Truecaller Pay's loans scheme which is offered to users without a traditional credit score. Truecaller said it may access transactional SMSs but only with user consent.

 

Catch all the Latest Tech News, Mobile News, Laptop News, Gaming news, Wearables News , How To News, also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 06 Aug, 16:22 IST
Tags:
NEXT ARTICLE BEGINS