Naukri exposed recruiter email addresses, researcher says

[CodeCanyon 316]

Naukri.com, a popular Indian employment website, has fixed a bug that exposed the email addresses of recruiters using its platform to search and hire talent online.

The issue, discovered by security researcher Lohith Gowda, affected the API that Naukri used on its Android and iOS apps. The API exposed the email addresses of recruiters visiting profiles of potential candidates on Naukri’s platform. The issue did not appear to affect the company’s website.

“The exposed recruiter email IDs can be used for targeted phishing attacks, and recruiters may receive excessive unsolicited emails and spam,” Gowda told TechCrunch.

He added that exposed email IDs could be added to public breach databases or spam lists, and mass email address scraping could lead to automated bot abuse or scams.

TechCrunch verified the exposure after the researcher shared details about the bug. The researcher confirmed to TechCrunch that the issue was fixed earlier this week, which Naukri corroborated on Friday.

“All identified enhancements are implemented, ensuring our systems remain updated and resilient,” Alok Vij, IT infrastructure head at Naukri’s parent company InfoEdge, told TechCrunch over email. “Our teams have not detected any usual activity that affects the integrity of user data.”

Founded in March 1997, Naukri.com is India’s top classified recruitment website, helping connect recruiters, employers, and job seekers. Apart from India, the site exists in the Middle East as Naukrigulf.com.

“Certain features of our recruiter profiles are designed to be public to enable users to know who has access to their profile(s). We conduct regular audits and security assessments,” said Vij.