JustDial (JD) is a local search service in India that helps residents find product vendors and service providers that best fit their needs. It was recently discovered through independent research that the company is inadvertently exposing the personal information of every single customer that used the service through its website, mobile app, or its customer care number. Data being exposed includes the user’s name, email, mobile number, address, gender, date of birth, photo, occupation, and the company name they are working with. It was discovered that the information was left exposed because of an unprotected API endpoint. The API has existed since 2015 and can be accessed by anyone. However, it cannot be determined that the information has been misused in any way. Through a number of tests ran by the researcher, he was able to find out that although the API is connected to the main JD database. It is an old endpoint that was never removed from the server, but the problem lies in the fact that it is still fetching real-time user data. JustDial has been contacted in an attempt to make them aware of this issue, but no reliable direct contact could be found to pass the information on to.
When utilizing a service of this type, users should always be careful with the information they are passing over to the operator. Be sure to ask questions about how they are using the information and what will be done with it. If you do not trust that your information will be safe, then you should not provide it.