Insurance website's buggy API leaked Office 365 password and a giant email trove
Pen-tester accessed more than 650,000 sensitive messages, and still can, at Indian outfit using Toyota SaaS
Toyota Tsusho Insurance Broker India (TTIBI), an Indo-Japanese joint insurance venture, operated a misconfigured server that exposed more than 650,000 Microsoft-hosted email messages to customers, a security researcher has found.
The issue may not be entirely fixed. When the researcher disclosed the vulnerability on Wednesday – five months after private disclosure – the firm still had not changed the password of the affected account.
Eaton Zveare, a security researcher at Traceable AI, published an account of how he discovered the issue by examining an Android app created by Eicher Motors, an India-based automotive firm that has a subdomain (eicher.ttibi.co.in) for its car insurance premium calculator on the TTIBI website.
The Android app, My Eicher, offers various vehicle-related services like predictive uptime, fuel management, and fleet monitoring. And, as Zveare discovered, it includes an API interface Java class that contains a GET request to the premium calculator page.
Zveare then examined the calculator web page on the TTIBI website and saw that it included a client-side function that created a request to send email using a server-side API.
"This caught my eye because this was a client-side email sending mechanism," he wrote in a post describing his findings. "If it worked, I could send [an] email with any subject & body to anyone, and it would come from a genuine Eicher email address."
- Facial recognition tech has outpaced US laws – and don't expect the Feds to catch up
- What's worse than paying an extortion bot that auto-pwned your database?
- How 'sleeper agent' AI assistants can sabotage your code without you realizing
- More than 178,000 SonicWall firewalls are exposed to old denial of service bugs
Zveare wasn't expecting much because the request code included a Bearer Authorization header using a cryptographic token that should have limited API usage to an authenticated user. Nonetheless, he tried crafting an API request to send a message anyway.
"I was expecting it to come back with '401 – Unauthorized', but what actually came back surprised me," he wrote. "Not only did the email successfully send, it came back with a server error that revealed an email sending log."
The log file returned with the error response magnified the severity of the poor API implementation because it included the Base64-encoded password of the associated Microsoft Office 365 email account.
The password was associated with Eicher's noreply account, which Zveare explained is used for sending automated emails to customers. Sometimes, he wrote, noreply accounts may be simple aliases to email-sending services like SendGrid or Postmark. Or they may be actual accounts that humans can use and log into.
Zveare found the worst-case scenario: Eicher's Microsoft-hosted "email@example.com" email account could be logged into and contained records of everything emailed to customers, including insurance policies filled with personal information and password reset links that could be used to hijack customer insurance accounts. 657k emails, amounting to around 25 GB of data could be accessed.
Zveare said he reported the issue on August 7, 2023 to India's Computer Emergency Response Team because the vulnerability was not covered under Toyota's HackerOne vulnerability disclosure program. The API is said to have been fixed by October 18 with the addition of an authentication check to send email.
But Zveare fears TTIBI hasn’t acted.
"More than five months later, TTIBI still has not changed the password of the email account despite being aware of the vulnerability," he wrote. "I checked it again today and I am still able to log in (proof). If I were them, I would not want a random stranger having access to their corporate cloud for five months. This is very disappointing, and I hope they improve their security posture so their customers' data doesn’t leak out."
TTIBI and Eicher did not immediately respond to requests for comment. ®