If you’ve ever looked for a job in India, chances are you’ve gone through Naukri.com. It’s among the largest names in the job search universe. But even the most reliable sites are prone to the occasional mistake, and Naukri recently had to patch a security flaw that exposed recruiters to phishing and scams.
Let’s go through what happened, why it’s important, and what we can all take away.
A Security Flaw Hiding in Plain Sight
The issue was first spotted by cybersecurity researcher Lohith Gowda. While digging into Naukri’s mobile apps, he found something unexpected. When recruiters viewed candidate profiles using the Android or iOS app, their email addresses were quietly exposed through the app’s API. No hacking tools or special access needed—just a bit of digging. Interestingly, the main Naukri website wasn’t affected at all.
Why Should You Care About Recruiter Emails?
Initially, it may not strike you as a major issue. A recruiter’s work email is public in most instances anyway, right? However, when such emails are exposed via an app’s backend, they can be grabbed with ease in bulk quantities. Such access is a bonanza for scammers and phishers. As Lohith Gowda noted, these addresses may end up in breach databases or as a starting point for targeted attacks. It’s not simply frustrating spam—it’s an entryway to impersonation and fraud.
The Risks Go Beyond Annoying Spam
What makes this more serious is how these emails can be used. Phishing attacks often rely on trust, and recruiters are in a position of trust. A scammer could impersonate a recruiter to trick job seekers, or use those emails as a stepping stone for more elaborate fraud. Gowda warned that the exposure makes targeted phishing attacks much easier to carry out.
Naukri’s Swift Response
As soon as Gowda had reported the problem, InfoEdge, the parent company of Naukri, moved swiftly. Alok Vij, InfoEdge’s head of IT infrastructure, confirmed that they had not noticed any extraneous activity or indications that user data was compromised. The company released a patch, secured its app, and sealed the vulnerability.
Naukri also said that some of the recruiter profiles are intended to be visible, so the applicants know who’s reading their resumes. Nevertheless, the firm reiterated its dedication to performing regular audits and continuous security scans.
What This Means for Mobile App Security
This episode is a reminder of just how crucial mobile API security is. Even one weak link in the design can compromise sensitive user information. And when that information is tied to something as critical as jobs and hiring, the stakes get even higher. It’s a wake-up call for businesses to develop secure APIs, particularly on platforms handling personal or professional information.
Tip for Recruiters: Remain Alert
If you’re a recruiter who’s employed by Naukri’s mobile app, it’s a good thing to remain vigilant. Be cautious of strange emails or messages, avoid clicking on untrusted links, and activate two-factor authentication on your work email if you haven’t done so already. Even though the problem has been rectified, it’s always better to err on the side of caution.
The Power of Responsible Disclosure
This entire incident is a perfect illustration of why ethical hacking is important. Gowda identified an issue, informed about it responsibly, and Naukri acted quickly. This is how security must be done—through collaboration, not fear.
Security issues can pop up in unexpected places, even on platforms millions of people rely on. Whether you’re building apps or just using them, the key takeaway is clear: always stay a step ahead when it comes to protecting data.
