Erroneous API on insurance website exposed Office 365 password and massive email cache

 

Gapteks.com - A security researcher has discovered that Toyota Tsusho Insurance Broker India (TTIBI), an Indo-Japanese joint insurance business, used an improperly configured server that exposed more than 650,000 Microsoft-hosted email communications to clients.

It might not be totally resolved. Five months after the vulnerability was first made public by the researcher, the company has still not updated the password for the impacted account on Wednesday.

Security researcher Eaton Zveare of Traceable AI detailed how he found the vulnerability by looking at an Android app developed by Eicher Motors, an Indian automaker with a subdomain (eicher.ttibi.co.in) for their TTIBI website automobile insurance premium calculator.

My Eicher, an Android app, provides a range of services linked to vehicles, including fleet monitoring, fuel management, and predictive uptime. Additionally, Zveare found that it had a Java class with an API interface that comprises a GET request to the premium calculator website.

Zveare then looked at the TTIBI calculator page and noticed that it included a client-side function that generated an email request via a server-side API.

He described his results in a post, saying, "This caught my eye because this was a client-side email sending mechanism." "If it worked, I could send [an] email with any subject & body to anyone, and it would come from a genuine Eicher email address."

Because the request code had a Bearer Authorization header that used a cryptographic token to restrict API use to authenticated users, Zveare wasn't expecting much. He nonetheless attempted to compose an API request to deliver a message.

"I was expecting it to come back with '401 – Unauthorized', but what actually came back surprised me," he stated. "Not only did the email successfully send, it came back with a server error that revealed an email sending log."

The severity of the subpar API implementation was exacerbated by the log file that was returned with the error response since it contained the linked Microsoft Office 365 email account's Base64-encoded password.

According to Zveare, the password was linked to Eicher's noreply account, which is used to send clients automated emails. He argued that noreply accounts might occasionally be just straightforward aliases to email sending platforms like SendGrid or Postmark. Alternatively, they may be real accounts that anyone can access and utilize.

Zveare discovered the worst-case situation: it was possible to log into Eicher's Microsoft-hosted "noreplyeicher@ttibi.co.in" email account, which held records of all emails sent to clients. These included insurance policies containing sensitive personal data and links to reset passwords that could be exploited to take control of client insurance accounts. A total of 657k emails, or around 25 GB of data, were accessible.

Zveare said that because the vulnerability was not covered by Toyota's HackerOne vulnerability disclosure program, he disclosed it to India's Computer Emergency Response Team on August 7, 2023. By October 18, the API is supposed to have been patched, and sending emails now requires authentication.

But Zveare worries that TTIBI has done nothing.

"More than five months later, TTIBI still has not changed the password of the email account despite being aware of the vulnerability," he stated. "I tested it one again today, and I can still log in (evidence). They wouldn't want a random stranger to have five months of access to their corporate cloud, if I were them. This is really disheartening, and I hope they strengthen their security posture to prevent the loss of client data."

Sourece: theregister.com