Truecaller’s Guardian app had a bug that could let hackers track your family, it’s been fixed now
The bug was in the app’s “Log in with Truecaller API”. This meant that a hacker could use your phone number to log into your account on the Guardian app.
Truecaller launched Guardian last week, an app that's been designed to share your location and important details with ‘guardians' of your choice in cases of emergency. The app is supposed to be able to get you aid as quickly as possible at the location you are in.
Soon after the app was announced, a major bug was discovered that could let hackers take full control over users' accounts and track them.
To understand, the main concept behind the Guardian app is to share your information with family members and other trusted contacts to stay safe while you travel/commute. You can share your live location, phone's battery status and network status with trusted contacts and also let them know if you need assistance by clicking on the ‘emergency' button.
The bug discovered by Prakash was in the app's “Log in with Truecaller API”. This meant that a hacker could use your phone number to log into your account on the Guardian app. They could then intercept the API's request and change the phone number to get access to your account and control it.
This account takeover could let hackers add themselves or pretty much anyone else as a trusted contact on another person's profile. This bug also allowed the hacker to view your family members' details like name, birth dates, phone number and live location.
Truecaller said in a statement that that the bug was a development configuration that made its way to the final roll by mistake.
“In this case, the issue pointed out by Anand was due to a development configuration being rolled out by mistake during the launch phase. Our engineers were already rolling out a fix at the time of his submission to ensure user safety,” Truecaller said.
Fortunately though, no account data was leaked and the bug was fixed in time.