Justdial Experiences Second Data Breach In Two Weeks, Demonstrates OpSec Failings

CEO of Justdial, V.S.S. Mani

Justdial, one of the most prominent Indian hyperlocal search engines, has been subject to a major security bug since the beginning of the month. This is akin to a data breach, and is the second in quick succession for the company after a similar incident occurred earlier this month.

The company operates on a large scale, with over 134 million QAU. The database of all of Justdial’s customers was exposed just a few weeks prior, with the current breach coming to the reviewers’ database.

The First Breach

Around 18th April, an independent security researcher revealed that private data of over 100 million users contained in the search engine’s database had been exposed. This includes information such as names, email IDs, mobile numbers, addresses, and other such personally identifiable information.


Sign up for your weekly dose of what's up in emerging technology.

The reason for this breach was a leaky endpoint courtesy of an expired API. The API reportedly allowed anyone to access the data of the users, 70% of which were individuals that called the Justdial hotline number of 8888 8888.

These findings were demonstrated by security researcher Rajshekhar Rajaharia, who posted the claims on Twitter. He also clarified that Justdial did not do anything towards these claims.

Justdial denied these claims, stating that the data is stored in a ‘double-encrypted format’ and was audited to be compliant with PCI DSS norms.

A Second Volley

The same researcher discovered another loophole in the API of Justdial on April 29th, wherein the database of individuals who post reviews on the platform was exposed.

In a statement to a publication, Rajaharia stated, “The API connected to Justdial’s database of reviewer’s has been unprotected since the company’s foundation.”

This meant that information such as the reviewer’s name, mobile number, and location were accessible through the loophole. The loophole was, again, on the API side, causing a leaky endpoint that required almost no credentials to access.

To Justdial’s credit, the issue was fixed on the same day the researcher reported it. They also fixed the first one within a week of the original post of Rajaharia.

Even as quick action was taken, the undiscovered loophole saw users’ data being unprotected owing to what seemed to be mistakes that could be fixed easily. This is indicative of a larger problem in quickly-growing startups.

OpSec Failings Exposed Sensitive User Data

Justdial is one of the biggest databases for various verticals, as it operates in over 25 different ones. While it provides similar services across verticals, the market spread ensures that vast amount of diverse data can be collected.

This demonstrates poor operational security on the part of Justdial, due to 2 main reasons. Primarily, an outdated API is one of lowliest ways that access to a system can be gained.

Any API handler and manager should always make the old API obsolete before releasing a new one, either by cutting off the access or cutting off support. An easily-implemented software switch could have protected access easily without the need for changing anything in the current distribution.

Secondly, they allowed the same attack vector to be exploited twice. If this were a breach by a malicious party as opposed to by a security researcher, the second attack would have proved to one of the worst ways for a compromise of security to occur.

While this was already a known issue on the part of Justdial, the fact that they did not assess other attack vectors from the same possible angle shows their failings in operational security.

The company needs to adopt tighter security when it comes to their databases, as they are now in the public eye as a non-secure company. It is left to see what future loopholes are discovered.

More Great AIM Stories

Anirudh VK
I am an AI enthusiast and love keeping up with the latest events in the space. I love video games and pizza.

Our Upcoming Events

Conference, in-person (Bangalore)
Machine Learning Developers Summit (MLDS) 2023
19-20th Jan, 2023

Conference, in-person (Bangalore)
Rising 2023 | Women in Tech Conference
16-17th Mar, 2023

Conference, in-person (Bangalore)
Data Engineering Summit (DES) 2023
27-28th Apr, 2023

Conference, in-person (Bangalore)
MachineCon 2023
23rd Jun, 2023

Conference, in-person (Bangalore)
Cypher 2023
20-22nd Sep, 2023

3 Ways to Join our Community

Whatsapp group

Discover special offers, top stories, upcoming events, and more.

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Subscribe to our newsletter

Get the latest updates from AIM