A SEVERE VULNERABILITY has been uncovered in Truecaller for Android that put the sensitive data of over 100 million Android users at risk.
The warning comes via a company called Cheetah Mobile, which uncovered a problem in the spam call-blocking app.
Truecaller explained in a rundown on its website that the app uses devices' IMEI numbers as the only way to identity users, which means that anyone with access to the IMEI of a device will be able to get Truecaller users' personal information and mess with their app settings to expose them to phishing attacks.
The flaw put phone numbers, home addresses and gender information at risk of falling into the hands of hackers, according to Cheetah Mobile.
"This vulnerability allows anyone to steal Truecaller users’ sensitive information, potentially opening doors for attackers. Overall, more than 100 million Android users who have downloaded this app on their smartphones are in danger," the firm said.
Truecaller has been quick to respond to the discovery, unlike many who fall victim to such vulnerabilities. The company claimed in a blog post that, to its knowledge, no user information has been compromised as a result of the flaw.
"We recently found an issue where some user-defined information can be retrieved or changed without the original user’s consent if a third person knows the IMEI number of the original person’s device," Truecaller said.
Truecaller has also pushed out an updated version of the app that fixes the problem, which is available to download now at Google Play.
"We’ve quickly taken steps to fix this issue and have released an update which we strongly suggest all users upgrade to," Truecaller advised.
Don't go breathing a sigh of relief just yet, though. Cheetah Mobile rounded off its warning by saying: "Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet." µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference on 24 November.
A break from the status Kuo
In China, at least