Hacking right into a Toyota/Eicher Motors insurance coverage firm by exploiting their premium calculator web site
•
Key Factors / Abstract
- An Eicher Motors premium calculator web site on a Toyota Tsusho Insurance coverage Dealer India subdomain uncovered Microsoft company cloud credentials.
- The e-mail sending API returned sending logs to the shopper, which contained the e-mail account’s password.
- The password could possibly be used to log into the “noreplyeicher@ttibi.co.in” Microsoft e-mail account. No two-factor authentication was enabled on the account.
- The e-mail account had a document of the whole lot they’ve ever despatched to their prospects, which is: 657k emails (~25 GB) containing issues like buyer info, insurance coverage coverage PDFs, password reset hyperlinks, OTPs, and rather more.
- Different Microsoft cloud sources have been additionally accessible, together with however not restricted to the company listing, SharePoint, and Groups.
- Toyota Tsusho Insurance coverage Dealer India took down the susceptible API greater than 2 months later after my report, however nonetheless haven’t modified the e-mail account’s password.
New 12 months, new automaker business hack! As a part of my automaker analysis tasks final summer time, Eicher Motors made its means up my record to analyze. In my efforts to seek out attention-grabbing exploits on Eicher Motors methods, I unintentionally ended up compromising a unique firm within the course of: Toyota Tsusho Insurance coverage Dealer India (“TTIBI”). An ideal storm of a number of points culminated in me gaining management over the “noreplyeicher@ttibi.co.in” Microsoft e-mail account, which not solely had a document of the whole lot they’ve ever despatched to their prospects, but additionally offered a foothold into their Microsoft cloud.
Toyota Tsusho Insurance coverage Dealer India and Eicher Motors
Everybody is aware of Toyota, however not everybody is aware of about Toyota Tsusho Insurance Broker India (“TTIBI”). Toyota is comprised of an unlimited community of various firms. TTIBI is beneath the Toyota Tsusho Insurance coverage Administration Company in Japan. TTIBI was established in 2008 and is “a leading Insurance Broker across India“.
Eicher Motors is considered one of India’s main automakers. They manufacture bikes beneath Royal Enfield Motors and industrial autos beneath VE Business Automobiles (VECV), which is a three way partnership with Volvo Group.
Each firms have some sort of insurance coverage partnership as a result of there’s a dedicated Eicher subdomain on the TTIBI website.
The Premium Calculator
Whereas analyzing the MY EICHER Android app, I got here throughout an not easily seen URL inside an API interface Java class that was a hyperlink to a premium calculator:
Visiting the hyperlink in a browser revealed it:
Trying on the supply code of the web site (actually right-click, view supply), I rapidly discovered some very attention-grabbing code:
This caught my eye as a result of this was a client-side e-mail sending mechanism. If it labored, I might ship a e-mail with any topic & physique to anybody, and it could come from a real Eicher e-mail tackle. Nevertheless, seeing the Bearer Authorization put a damper on my pleasure as a result of it was clear you wanted to be logged in one way or the other to make use of this API. Regardless of that, I made a decision to attempt crafting the API request to see what would occur. I used to be anticipating it to come back again with “401 – Unauthorized”, however what truly got here again shocked me.
Not solely did the e-mail successfully send, It got here again with a server error that exposed an e-mail sending log:
If you happen to look carefully, you will discover the base64 encoded password. With the ability to abuse this ship e-mail perform was critical sufficient, however the leak of the e-mail account password elevated this to a brand new stage of severity.
The e-mail account
This isn’t simply any e-mail account – it’s a noreply e-mail account. noreply accounts are usually used for sending automated emails to prospects. For instance, if you reset a password, the hyperlink is prone to come from a noreply account. In lots of circumstances it will probably simply be an alias on SendGrid, Postmark, and so on, nevertheless it will also be an precise account that you could log in to. The noreply account could possibly be crucial account in a corporation as a result of it might doubtlessly have a document of the whole lot they’ve ever despatched to prospects. In TTIBI’s case, that’s precisely what it’s and the quantity of knowledge revealed is gigantic:
Exploring the influence
The e-mail account is jam full of private/non-public info. To begin, you may see all of the insurance coverage insurance policies despatched to prospects – right here’s a number of examples from completely different insurance coverage firms:
You may additionally view one-time-passwords (OTPs) and password reset hyperlinks. With this, you would simply take over somebody’s insurance coverage account.
And you would in fact entry sources on their Microsoft cloud, resembling the company listing, SharePoint, and Groups:
An ideal storm of safety points
The vulnerability was so extreme as a result of it was enabled by 5 unlucky safety points/oversights. Builders and IT directors ought to pay attention to all of those and ensure comparable points don’t exist in your group.
Concern #1: Shopper-side sending e-mail mechanism
Don’t create an e-mail sending perform that the shopper has management over. Somebody malicious can abuse it to ship dangerous emails out of your real account, resulting in e-mail fame loss and phishing.
Concern #2: Lacking API authentication
It seems to be just like the frontend developer knew the e-mail sending API ought to have been authenticated, however the backend developer missed the memo. If the server had truly checked the token, it might need completely stopped this exploit.
Concern #3: Leaky API response
If one thing goes fallacious when processing an API request, don’t give an excessive amount of info again to the shopper. On this case a password managed to leak out, which is without doubt one of the worst issues that would occur.
Concern #4: No two-factor authentication
Logging into the Microsoft account was surprisingly simple. There was no two-factor authentication arrange or some other login verification prompts. If there was, it in all probability wouldn’t have been doable for me to efficiently login.
Concern #5: Electronic mail retention
The ultimate concern is that each one emails the account had ever despatched/acquired have been retained, making it simple to entry substantial quantities of buyer info. Retention insurance policies range by business, however it is a nice instance the place having a coverage in place might have softened the shopper knowledge publicity influence.
Password stays unchanged
Greater than 5 months later, TTIBI nonetheless haven’t modified the password of the e-mail account regardless of being conscious of the vulnerability. I checked it once more right now and I’m nonetheless capable of log in (proof). If I have been them, I might not desire a random stranger getting access to their company cloud for five months. That is very disappointing, and I hope they enhance their safety posture so their prospects’ knowledge doesn’t leak out.
As an apart, I’m a little bit shocked that they weren’t alerted by Microsoft ultimately to the bizarre login. Or possibly they have been, and the alert was ignored or not seen.
Timeline
TTIBI is just not coated beneath Toyota’s HackerOne vulnerability disclosure program, which is a disgrace as a result of the crew behind that has been fast to resolve several issues I’ve reported to them up to now. I reported the problem to India’s CERT-In as an alternative.
- August 7, 2023: I ship a complete e-mail to CERT-In to report the vulnerability.
- August 8, 2023: Response acquired from CERT-In. A case ID was issued, they usually said they are going to attain out to TTIBI.
- September 1, 2023: I ask for an replace.
- September 6, 2023: Response acquired confirming they reported the vulnerability to TTIBI and can share additional updates as they obtain them.
- October 8, 2023: I seen the affected web site was taken offline. Nevertheless, the susceptible API was not. I inform CERT-In.
- October 11, 2023: Response acquired confirming TTIBI has fastened the vulnerability. I test this and ensure the vulnerability is not fastened.
- October 18, 2023: I seen the vulnerability is now fastened – the e-mail sending API now requires authentication. I ask CERT-In if TTIBI can provide a bug bounty reward.
All the things after October 18 is a back-and-forth between CERT-In and me attempting to find out if there could be a bug bounty reward. TTIBI by no means responded to the query, so I made a decision to shut the case on December 22 and CERT-In despatched me a pleasant appreciation letter.
Subscribe to new posts
Get an e-mail notification each time one thing new is printed.