Naukri.com Mobile API Bug Exposed Sensitive Recruiter Information

A severe vulnerability in the mobile API of Naukri.com, India’s largest job recruitment platform, exposed recruiter email addresses to unauthorized users. The issue was isolated to mobile app users on both Android and iOS. While the vulnerability has been fixed, the incident raised serious concerns about API security hygiene, data privacy, and potential for phishing and impersonation attacks.

Severity Level: Moderate

Incident Overview:

1. The Flaw:
   • Affected the mobile API endpoints of Naukri.com, exposing data through unprotected response structures.
   • The web version of the platform remained unaffected, indicating inconsistent security controls across platform interfaces.
   • The flaw allowed job seekers to retrieve recruiter emails when their profile was viewed—no authentication or privilege checks were enforced.
2. Exposed Data and Potential Risk:
   • Recruiter email addresses were unintentionally exposed, enabling exploitation for:
     • Highly targeted phishing attacks
     • Spamming campaigns using verified corporate identities
     • Social engineering and recruiter impersonation
     • Exposed recruiter emails could also enable adversaries to enumerate hiring patterns or organizational structures across industries.
3. No Confirmed Exploitation:
   • While no widespread abuse has been identified so far, long-tail risks like data scraping and resale persist.
   • Even in absence of active exploitation, data harvested during the exposure window could be stockpiled for delayed use.
   • The leak could serve as a pivot point for broader supply chain attacks targeting enterprises through compromised HR communications.
4. Naukri.com hosts millions of monthly users, including confidential data from job seekers and employers alike. Given its scale and function, a breach here could undermine platform-wide trust and create cascading reputational damage.
   The company patched the issue within days and confirmed no evidence of active exploitation or malicious activity was found on their systems.

Recommendations:

1. Limit the amount of personal or organizational information added to public recruiter profiles (e.g., avoid sharing personal contact numbers or full organizational hierarchy)
2. Always log out from recruiter dashboards, especially when using shared or mobile devices. Avoid storing passwords in browsers.
3. Use strong, unique passwords for platform access and rotate them periodically. Employ MFA where available.
4. Stay updated on phishing trends targeting recruitment platforms. If you receive unexpected resumes or messages, verify the source before engaging.
5. Regularly audit account usage logs if the platform provides them. Look for suspicious access times, IPs, or geographies.
6. Train in-house recruitment teams to follow cybersecurity best practices. Include cyber hygiene as part of recruiter onboarding processes.

Source:

• https://the420.in/naukri-com-recruiter-email-leak-api-bug-security-flaw/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.