A researcher found that Naukri’s mobile app API was leaking recruiter email IDs, creating a potential phishing risk.
Naukri, an Indian job search platform, recently patched a security issue in its mobile apps that exposed the email addresses of recruiters using the service. The vulnerability was discovered by security researcher Lohith Gowda, who found that Naukri’s API on its Android and iOS apps leaked recruiter email IDs whenever they viewed candidate profiles. The website version of Naukri was not affected by the bug.
The issue raised concerns about targeted phishing, spam, and the potential for abuse by bots. Gowda confirmed that attackers could have harvested the exposed emails and added them to public breach or spam databases. TechCrunch was able to independently verify the exposure before Naukri rolled out a fix.
According to Gowda, the nature of the bug made it possible to scrape recruiter email addresses in bulk, potentially leading to misuse. Phishing campaigns, scam operations, and unsolicited outreach are among the risks when such email data is exposed.
Naukri confirmed that the flaw was addressed earlier in the week and stated that no suspicious activity had been detected. Alok Vij, head of IT infrastructure at Naukri’s parent company InfoEdge, stated that all necessary updates had been made to strengthen system resilience.
Naukri.com is a long-standing recruitment platform operating since 1997. In addition to serving job seekers and recruiters in India, it also has a presence in the Middle East.
Gowda warned that recruiters could become targets for phishing and spam due to the exposure. “The exposed recruiter email IDs can be used for targeted phishing attacks,” he told TechCrunch.
Naukri responded by reaffirming its commitment to user safety and noting that certain recruiter profile elements are public by design. “We conduct regular audits and security assessments,” Vij said, indicating that this was part of their ongoing monitoring efforts.
Vulnerabilities like this one point to the need for secure API design, particularly on platforms that manage sensitive professional information. Even seemingly limited data, such as recruiter email addresses, can be misused for phishing or fraud if not properly protected. Naukri’s response and disclosure reflect a proactive approach, but the incident reinforces the importance of monitoring mobile applications with the same rigor as web platforms when addressing data security.
While they may be business emails, exposure can still lead to spear phishing, impersonation, and targeted scams that exploit trust between recruiters and job seekers.
Yes, if malicious actors had discovered the bug earlier, they could have scraped thousands of emails, adding them to spam databases or using them for phishing before Naukri addressed the issue.
They should monitor for suspicious messages, avoid clicking on unknown links, and consider enabling email security features like spam filters or two-factor authentication for added protection.
It shows that mobile apps, even from well-known companies, require the same rigorous security audits as web platforms. A single overlooked API call can expose data to mass exploitation.