The world’s largest caller ID app had a significant privacy flaw, one which put the personal information of over a hundred million users at risk. A day after its discovery, the app developer has predictably patched the vulnerability with a new version of the application.
The new first broke when security researchers at Cheetah Mobile discovered a privacy flaw in Truecaller, the world’s most popular caller ID application for smartphones.
The flaw relies in the way in which Truecaller uses a phone’s IMEI number as the indicator and identity of the user. The Cheetah Mobile report revealed that anyone who gained the IMEI of a device could fundamentally ascertain the Truecaller user’s personal information without the user’s consent.
The personal information at stakes included phone number, home address, gender, mailbox and more, potentially leaving over 100,000,000 android users’ data at the hands of malicious data thieves for activities such as phishing.
The security researchers at the firm discovered and informed Truecaller of the vulnerability and subsequently, the updated application containing the patch has been released on the Google Play store. While the patch is out, there are still plenty of users who haven’t patched to the latest version just yet, meaning there are millions of users who are still at risk.
A Truecaller Patch
For its part, Truecaller has ably and quickly reacted to the staggering concern, by both patching the vulnerability and claiming that there was no suspicious activity encountered as a result of the vulnerability.
“Our constant monitoring indicates that no user information has been compromised,” read an answer to a newly posted FAQ in a direct response to the vulnerability.
An excerpt from the post explaining the vulnerability read:
We recently found an issue where some user defined information can be retrieved or changed without the original user’s consent, if a third person knows the IMEI number of the original person’s device.
The statement further added that the issue has since been resolved with a quick update. All users are strongly urged to update to the newest version of the app.
Notably, the vulnerability only affects Truecaller on Android devices, even though the application is available for iOS and Windows phone users.
Image from Truecaller.