Justdial data faces theft risk
Hyderabad: In continuation of the data leak saga in the Indian context, over 10 million records comprising personal details such as name, phone number, email id, and date of birth of Justdial customers has been identified as “unprotected”.
Data of as many as 10 crore Justdial users was found to be stored in an unsecured manner since 2015. An independent security researcher, Rajshekhar Rajahari, based in Gurgaon, discovered the security loophole on April 12, when he stumbled upon the unprotected records on the Application Progra-mming Interface (API) of Justdial that connects their websites, application to the database. Here is how Justdial has been saving data: When a caller dials 888-888-8888 or the landline numbers, the operator seeks information, that is, name, email id, and the phone number is automatically stored. Further, this personal information is stored in their database.
Mr Rajahari told this newspaper, “The Mumbai based hyper-local search engine has 10 million users and Justdial has been storing customer’s personal data. What connects their database to the websites (www.justdial.com), t.justdial.com and mobile application is an application programming interface (API). This API is facing data breach as the personal information stored is unprotected and is accessible to all.”
Mr Rajahari further said, “What is interesting is that the API has real-time access. For instance, any given day over 1 lakh callers dial Justdial and their data is immediately stored and reflects on the API. This is vulnerable to Advertising targets. I found the breach on April 12, 2019, reported it to their Facebook and even LinkedIn. They haven’t replied as yet.”
The independent researcher took to his Facebook account and wrote: ‘Dear Justdial your 100 million users data including name, email id, mobile, number, gender, date of birth, address, photo, company, occupation and other details are publicly accessible. fix it ASAP. I found no way to contact your tech/security team. Even not able to tag you on facebook, twitter. There should be a section on your website where someone could report security related issue.’
Eight days after the loophole was detected, the management of Justdial put out a statement saying: “The case is under investigation”. Justdial has a presence in 11 cities, so the data stored will be of users across India. Srinivas Kodali, a security researcher, said, “It is vulnerable as the sensitive data can be used by cybercriminals, ad targets, hackers.”