Naukri Fixes Bug That Exposed Recruiters' Email Addresses to Potential Phishing Risks

A security flaw on Naukri.com, India's leading job portal, exposed the email addresses of recruiters using the platform's Android and iOS apps. Security researcher Lohith Gowda uncovered the issue and reported it to TechCrunch. The bug allowed the API to reveal the email addresses of recruiters whenever they viewed a candidate’s profile, but the website itself remained unaffected. According to Gowda, the exposed email addresses could have been exploited for targeted phishing attacks, leading to an influx of unsolicited emails and spam. Additionally, these email IDs could have been added to public breach databases or spam lists, facilitating mass email scraping and potential scam activities. TechCrunch independently verified the exposure after receiving detailed information from Gowda. The platform confirmed that the issue was resolved earlier this week, with official confirmation provided on Friday by Alok Vij, IT Infrastructure Head at InfoEdge, Naukri’s parent company. “All identified enhancements have been implemented, ensuring our systems remain up-to-date and robust,” Vij stated in an email to TechCrunch. He also noted that no unusual activity affecting the integrity of user data had been detected by the company’s teams. Naukri.com, founded in March 1997, is a prominent classified recruitment website in India, connecting millions of recruiters, employers, and job seekers. The platform also operates in the Middle East under the name Naukrigulf.com. Vij explained that some elements of the recruiter profiles are intentionally made public to help job seekers understand who has accessed their profiles. “We regularly conduct audits and security assessments to ensure the highest standards of protection for our users,” he added. This incident highlights the ongoing importance of vigilant security practices in the digital age, especially for platforms handling sensitive personal and professional information. Despite the prompt resolution, it serves as a reminder for both users and service providers to remain cautious and proactive in safeguarding personal data.