Truecaller last week received major backlash in India after a bug in its payments service automatically generated UPI accounts of thousands of users. Truecaller users took to social networking platforms to complain that the app had created their accounts without their permission.
This bug affected Truecaller users on Android who updated the app to its latest version. Users found out through an SMS they received saying that their registration for UPI has started. The process couldn’t be completed since the final step requires the user to enter a UPI PIN. Truecaller users took to Twitter and Google Play Store complaining about the same.
In a detailed email, Truecaller has addressed the vulnerability and how it happened. The company said that the API for registered Truecaller Pay users affected those who are not on the payments service yet.
“As a consequence, the payments backend responded with an error code signalling that the users have insufficient credentials to perform this request (that’s what that odd SMS message was about). Under normal circumstances this would be the correct course of action, since this error would have occurred only for a pre-registered user. This triggered a credential refresh which would eventually cause the UPI registration to be triggered inadvertently,” Truecaller explained.
Truecaller said 0.12% of users were affected by the Truecaller Pay bug. The created Truecaller accounts were also deleted soon after the incident was discovered. The company further explained that since the UPI setup was not completed there was no data or finances of users were affected. Following the bug discovery Truecaller patched the bug and there’s an update for the app as well.
In addition to this, Truecaller also refuted reports of the company reading user SMSs to create a credit scoring. This is with regards to Truecaller Pay’s loans scheme which is offered to users without a traditional credit score. Truecaller said it may access transactional SMSs but only with user consent.
WhatsApp us