Naukri.com Fixes Bug Exposing Recruiters’ Email Addresses

Introduction

Naukri.com, a prominent Indian employment website, has successfully resolved a bug that had compromised the email addresses of recruiters utilizing its platform for online talent acquisition.

The Issue

Security researcher Lohith Gowda discovered the issue, which affected the API used in Naukri’s Android and iOS applications. Specifically, the API exposed the email addresses of recruiters when they visited the profiles of potential candidates on the Naukri platform. Notably, this vulnerability did not impact the company’s website.

Potential Risks

According to Gowda, the exposed recruiter email IDs could be exploited for targeted phishing attacks, leading to an influx of unsolicited emails and spam. Furthermore, these exposed email IDs might be added to public breach databases or spam lists, potentially resulting in automated bot abuse or scams.

Verification and Resolution

TechCrunch verified the exposure after receiving details about the bug from the researcher. The researcher confirmed that the issue was addressed earlier in the week, a fact corroborated by Naukri on Friday. Alok Vij, the IT infrastructure head at Naukri’s parent company InfoEdge, stated, "All identified enhancements are implemented, ensuring our systems remain updated and resilient. Our teams have not detected any unusual activity that affects the integrity of user data."

About Naukri.com

Established in March 1997, Naukri.com is India’s leading classified recruitment website, facilitating connections between recruiters, employers, and job seekers. The site also operates in the Middle East under the domain Naukrigulf.com.

Security Measures

Vij emphasized, "Certain features of our recruiter profiles are designed to be public to enable users to know who has access to their profile(s). We conduct regular audits and security assessments." This underscores Naukri’s commitment to maintaining the security and integrity of user data on its platform.