Truecaller says it has fixed a flaw in its Android app which potentially allowed attacker to retrieve personal information of users and change these details without a user's consent. Security researchers at Cheetah Mobile Security Research Lab detailed this vulnerability.
The flaw only existed in Truecaller's Android client, and according to the company, it has been resolved with an update. To recall, Truecaller in November last year said it had 200 million users across its Android, iOS, and Windows Phone apps.
Truecaller on Monday announced the availability of an update to its Android app that fixes the security flaw. Researchers at Cheetah Mobile firm reported on Monday that Truecaller utilises IMEI number to identify a person. In a proof-of-concept code the firm shared with Softpedia, researchers were able to retrieve the personal details of users by "interacting with the app's servers." The security firm added that up to 100 million users of the Android app are affected.
"This vulnerability allows anyone to steal Truecaller users' sensitive information, potentially opening doors for attackers. Overall, more than 100 Million Android users who have downloaded this app on their smartphones are in danger," security researchers wrote in a blog post. "By exploiting this flaw, the attackers can: Steal personal information like account name, gender, e-mail, profile pic, home address, etc, and modify a user's application settings."
(Also see: How to Remove Your Number From Truecaller)
Truecaller has acknowledged the bug. In a blog post, the company, whose app helps users find information about the caller and block telemarketers, wrote, "We recently found an issue where some user defined information can be retrieved or changed without the original user's consent, if a third person knows the IMEI number of the original person's device. "
At this point, it's likely that there is no exploit in the wild. To ensure you're secure however, ensure you have updated Truecaller to the latest available version.