Recently, the Truecaller application started registering users for UPI ID without their permission. There are millions of people relying on this application on a daily basis.
The CEO of the company Alan Mamedi took to twitter where he said that less than 0.12% of total monthly active users in India were affected by the “bug”. He also said that the company started to roll out an updated version of Truecaller for Android users where they have noticed that the first users to update to the new version (10.41.6) started complaining that SMSs were sent out automatically without their consent to their banking partners.
The bug is an API that caused havoc. The API was supposed to be initiated for only existing Truecaller Pay users who consented to sign up with Truecaller Pay. Since this API is only meant for registered payment users credentials were corrupted, the API would then trigger a refresh of the credentials. However, this API was triggered for a portion of users who were not already registered for payments. Such an API issue is unusual and unprecedented at Truecaller and a scenario we hadn’t designed for. As a consequence, the payments back end responded with the error code signaling that the users have insufficient credentials to perform this request. Under normal circumstances, this would be the correct course of action since this error would have occurred only for a pre-registered user. This triggered a credential refresh which would eventually cause the UPI registration to b triggered inadvertently.
Since Truecaller was quick in their action by stopping the release remotely on that particular version. Therefore, the mishap didn’t mean any sort of loss for the affected user, neither in terms of users’ data nor anything financial.