lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 1 Jun 2012 16:29:49 +0300
From: Kuwait WhiteHat <q8whitehat@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: TrueCaller Vulnerability Allows Changing Users
	Details

TrueCaller – worldwide number search and spam filter, a top iPhone
application in many countries, enables users to search half a billion phone
numbers worldwide and much more.

The application allows users to search numbers if and only if the user
enables *Enhanced Search* feature. When enabled, the user is warned that
his contacts will be shared with other users to search and his address book
is sent to TrueCaller database. This process is done by sending the
following HTTP “*cleartext*” request:

post_contact_data=[{"REV":"","FN":"ContactName","TEL_CELL":["MobileNumber
"],”TCBID”:”Number“,”FID”:”Number
“,”TEL_WORK”:[Number],”TEL_HOME”:[],”CONTACT_ID”:”3619″,”LID”:”"}

>>From a security point of view, this is a bad security behavior and may lead
to one of the following situations:

   - *Privacy Issues*
   - *Fake Data*
   - *Enabling Enhanced Search features without having to share user’s
   Address Book*



*Advisory Timeline*

28/Apr/2012 – First contact: Vulnerability details sent
29/Apr/2012 – Response received: Asked for more details
29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller
doubts
30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix
01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval
17/May/2012 – New Version Released: Fix approved by Apple and released
01/Jun/2012  - Vulnerability Released.

Details and more information here:
http://q8whitehat.org/truecaller-vulnerability-allows-changing-users-name/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ