Apart from accessing user information such as names, phone numbers, and email addresses, the vulnerability allowed them to peek into financial details including balance and transactions of an account through JustDial Pay, the company’s payment service. First reported by MoneyControl, the bug was discovered by security researcher Ehraz Ahmed last month. It exploited the site’s Register API used for sign-ups. A video posted by Ahmed shows a hacker can use a person’s phone number as user name and gain access to the account through the flaw. The bug allowed hackers to even change account details for JD Pay so all the money sent to that account gets redirected. However, it didn’t allow them to send money as it requires an additional PIN. JustDial said in a statement the flaw was fixed yesterday: The company said there was no loss of data.
