Naukri.com, a popular Indian employment website, fixed a bug that used the platform to publish recruiter email addresses to search and hire talent online.
The issue, discovered by security researcher Lohith Gowda, affected the APIs Naukri used in Android and iOS apps. The API has released the email addresses of recruiters who will visit the profiles of potential candidates on Naukri's platform. This issue does not appear to affect the company's website.
“The email ID of an exposed recruiter can be used for targeted phishing attacks, and recruiters can receive excessive unsolicited emails and spam,” Gowda told TechCrunch.
He added that public email IDs could be added to public violation databases or spam lists, and that scraping large amounts of email addresses could lead to automatic bot abuse or fraud.
TechCrunch examined the exposure after researchers shared details about the bug. Researchers confirmed with TechCrunch that the issue was fixed earlier this week.
“All identified enhancements have been implemented to ensure that the system is updated and remains resilient,” Alok Vij, infrastructure head at Naukri's parent company Infoedge, told TechCrunch via email. “Our teams do not detect any normal activities that affect the integrity of user data.”
Founded in March 1997, Naukri.com is India's top classified recruitment website, helping recruiters, employers and job seekers connect. Apart from India, this site exists in the Middle East as naukrigulf.com.
“Specific features of recruiter profiles are designed to be publicly available so that users can know who have access to the profile. They carry out regular audits and security assessments,” VIJ said.