Toyota Tsusho Insurance coverage Dealer India (TTIBI), an Indo-Japanese joint insurance coverage enterprise, operated a misconfigured server that uncovered greater than 650,000 Microsoft-hosted electronic mail messages to prospects, a safety researcher has discovered.
The problem is probably not fully fastened. When the researcher disclosed the vulnerability on Wednesday – 5 months after non-public disclosure – the agency nonetheless had not modified the password of the affected account.
Eaton Zveare, a safety researcher at Traceable AI, published an account of how he found the problem by inspecting an Android app created by Eicher Motors, an India-based automotive agency that has a subdomain (eicher.ttibi.co.in) for its automotive insurance coverage premium calculator on the TTIBI web site.
The Android app, My Eicher, presents varied vehicle-related companies like predictive uptime, gasoline administration, and fleet monitoring. And, as Zveare found, it contains an API interface Java class that accommodates a GET request to the premium calculator web page.
Zveare then examined the calculator net web page on the TTIBI web site and noticed that it included a client-side operate that created a request to ship electronic mail utilizing a server-side API.
“This caught my eye as a result of this was a client-side electronic mail sending mechanism,” he wrote in a submit describing his findings. “If it labored, I might ship [an] electronic mail with any topic & physique to anybody, and it could come from a real Eicher electronic mail tackle.”
Zveare wasn’t anticipating a lot as a result of the request code included a Bearer Authorization header utilizing a cryptographic token that ought to have restricted API utilization to an authenticated person. Nonetheless, he tried crafting an API request to ship a message anyway.
“I used to be anticipating it to come back again with ‘401 – Unauthorized’, however what truly got here again shocked me,” he wrote. “Not solely did the e-mail efficiently ship, it got here again with a server error that exposed an electronic mail sending log.”
The log file returned with the error response magnified the severity of the poor API implementation as a result of it included the Base64-encoded password of the related Microsoft Workplace 365 electronic mail account.
The password was related to Eicher’s noreply account, which Zveare defined is used for sending automated emails to prospects. Generally, he wrote, noreply accounts could also be easy aliases to email-sending companies like SendGrid or Postmark. Or they might be precise accounts that people can use and log into.
Zveare discovered the worst-case situation: Eicher’s Microsoft-hosted “email@example.com” electronic mail account may very well be logged into and contained information of every little thing emailed to prospects, together with insurance coverage insurance policies stuffed with private info and password reset hyperlinks that may very well be used to hijack buyer insurance coverage accounts. 657k emails, amounting to round 25 GB of knowledge may very well be accessed.
Zveare stated he reported the problem on August 7, 2023 to India’s Pc Emergency Response Staff as a result of the vulnerability was not lined below Toyota’s HackerOne vulnerability disclosure program. The API is alleged to have been fastened by October 18 with the addition of an authentication verify to ship electronic mail.
However Zveare fears TTIBI hasn’t acted.
“Greater than 5 months later, TTIBI nonetheless has not modified the password of the e-mail account regardless of being conscious of the vulnerability,” he wrote. “I checked it once more immediately and I’m nonetheless capable of log in (proof). If I had been them, I might not desire a random stranger getting access to their company cloud for 5 months. That is very disappointing, and I hope they enhance their safety posture so their prospects’ knowledge doesn’t leak out.”
TTIBI and Eicher didn’t instantly reply to requests for remark. ®