Naukri, the leading Indian job portal, has patched a critical security vulnerability that inadvertently exposed the private email addresses of recruiters using its mobile applications. The flaw, identified by security researcher Lohith Gowda, specifically impacted the API integrated into the platform’s Android and iOS apps.
How the Data Leak Occurred
The security gap functioned through an API endpoint that leaked recruiter email addresses whenever they viewed a candidate’s profile on the mobile app. Notably, the vulnerability did not extend to the web-based version of the Naukri platform. By exploiting this API behavior, unauthorized parties could have systematically scraped sensitive contact information.
Risks of Phishing and Data Scraping
Security researcher Lohith Gowda warned that the exposure posed significant risks to the affected recruiters. “The exposed recruiter email IDs can be used for targeted phishing attacks, and recruiters may receive excessive unsolicited emails and spam,” Gowda noted. Beyond direct spam, the harvested data could have been integrated into public breach databases or utilized by automated bots to facilitate large-scale scams.
Company Response and Remediation
Following the disclosure of the bug, the issue was successfully resolved earlier this week. Alok Vij, head of IT infrastructure at InfoEdge—the parent company of Naukri—confirmed the fix on Friday.
“All identified enhancements are implemented, ensuring our systems remain updated and resilient,” stated Vij. He further emphasized that internal investigations found no evidence of malicious activity or unauthorized access that compromised the overall integrity of user data.
Platform Context
Established in 1997, Naukri.com remains the dominant force in India’s recruitment sector, bridging the gap between employers and job seekers. The company also operates internationally under the brand Naukrigulf.com. Regarding the incident, Vij clarified that while certain recruiter profile details are intentionally public to maintain transparency for job seekers, the company maintains a rigorous schedule of security audits and assessments to protect user privacy.