Full Report
The recruiter website fixed the email address exposure earlier this week.
Analysis Summary
# Incident Report: Exposure of Recruiter Email Addresses on Naukri Platform
## Executive Summary
A configuration flaw in the API used by Naukri's mobile applications (Android and iOS) resulted in the exposure of recruiter email addresses who were viewing job candidate profiles. The incident was discovered by an external security researcher and promptly fixed by Naukri before widespread malicious exploitation could occur. The primary impact involves the potential for targeted phishing against recruiters and increased spam volume.
## Incident Details
- **Discovery Date:** May 23, 2025 (Date article published regarding discovery)
- **Incident Date:** Prior to May 23, 2025 (Bug was present and fixed "earlier this week" relative to publication)
- **Affected Organization:** Naukri.com (InfoEdge)
- **Sector:** Employment/Job Aggregation Services
- **Geography:** India (Primary market)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown prior to May 2025.
- **Vector:** Logic/Configuration flaw within the application API.
- **Details:** The API endpoint used by the Android and iOS apps inadvertently exposed the email addresses of recruiters who were viewing candidate profiles. **This issue did not affect the main Naukri website.**
### Lateral Movement
- **N/A.** The incident appears to be a direct information disclosure vulnerability rather than an active intrusion requiring lateral movement.
### Data Exfiltration/Impact
- **Details:** Recruiter email addresses were exposed to candidates or other unauthorized users interacting with the mobile application endpoints. Potential impact includes targeted phishing, increased spam, and inclusion in public breach databases.
### Detection & Response
- **How it was discovered:** Discovered by security researcher Lohith Gowda.
- **Response actions taken:** TechCrunch verified the exposure. Naukri acknowledged the vulnerability and implemented fixes "earlier this week" (relative to May 23, 2025).
## Attack Methodology
Since this was a configuration vulnerability discovered by a researcher rather than a successful external intrusion, traditional TTPs (Tactics, Techniques, and Procedures) are not fully applicable.
- **Initial Access:** Information Disclosure via flawed API logic (Application Vulnerability).
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** Automated scraping potential against the exposed email list.
- **Exfiltration:** Potential manual (or automated) scraping of exposed data.
- **Impact:** Exposure of sensitive contact information (recruiter emails).
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Personal identifying information (PII) in the form of recruiter email addresses were exposed. No specific volume was stated, but it affected users of the mobile apps.
- **Operational:** Minimal operational disruption reported, as InfoEdge stated no unusual activity affecting data integrity was detected.
- **Reputational:** Potential minor reputational damage due to the public disclosure of a security oversight.
## Indicators of Compromise
*Note: Since this was a specific API logic flaw, standard network/file IOCs are generally not applicable unless abuse occurred prior to patching.*
- **Network indicators:** N/A (Dependant on attacker's scraping source, if any)
- **File indicators:** N/A
- **Behavioral indicators:** Excessive automated requests directed at the specific mobile API endpoints responsible for profile viewing (if scraping occurred).
## Response Actions
- **Containment measures:** The underlying API vulnerability was identified and patched by Naukri's teams.
- **Eradication steps:** The faulty code handling the profile view API response was corrected.
- **Recovery actions:** Confirmed by InfoEdge head Alok Vij that "All identified enhancements are implemented, ensuring our systems remain updated and resilient."
## Lessons Learned
- **Key takeaways:** Mobile application APIs require the same rigorous security auditing as web platforms, especially when handling sensitive data associated with user actions (like viewing profiles). Even if the core website is secure, application-specific integrations can introduce vulnerabilities.
- **What could have been done better:** Faster detection of the API logic flaw during internal testing prior to researcher discovery.
## Recommendations
- Conduct comprehensive security audits focusing specifically on mobile application APIs interacting with user profile data.
- Implement strict authorization and access control checks within API responses to ensure only necessary data fields are returned based on the requesting user type and permission level.
- Increase monitoring for high-volume, automated data retrieval patterns against profile viewing APIs.