A 'hundred million' Truecaller users vulnerable to privacy bug, security bod says

Phonebook app used IMEI as user ID

14 Reg comments Got Tips?

Caller ID app "Truecaller" has been called out for using IMEI and nothing else to identify users in its systems.

The flaw, described by Cheetah Mobile's security researchers here, has been fixed – but only if users realise they need to download a new version of the app's Android incarnation.

Cheetah Mobile reckons the app has been downloaded 100 million times.

“Anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers”, Cheetah's note says.

Truecaller claims to “search and identify any phone number”, as well as offering users the ability to create custom lists blocking specific numbers and hidden numbers, and a presence function to check when friends are available.

Truecaller's Android app was upgraded on March 22, according to Google Play. Truecaller's announcement about the upgrade is here. The company says no user information was compromised by the bug. ®


Biting the hand that feeds IT © 1998–2020