Brother
Professional
- Messages
- 2,590
- Reaction score
- 483
- Points
- 83
Negligence led to the disclosure of secrets of the company and its customers.
Toyota Tsusho Insurance Broker India (TTIBI), a joint Indian-Japanese insurance company, has discovered a security issue that led to the leak of more than 650,000 customer emails hosted on Microsoft servers. The privacy breach was discovered by a cybersecurity researcher.
The problem was an incorrectly configured server, and as it turned out, it was not completely resolved. Despite the fact that the researcher reported it 5 months ago, the company still hasn't changed the password for the affected account.
Eaton Zwear, a researcher at Traceable AI, described how he discovered the vulnerability when analyzing an Android app from the Indian car company Eicher Motors. The app, designed for various automotive services, included an API interface that led to information disclosure.
The My Eicher Android app offers a variety of vehicle-related services, such as predicting equipment uptime, fuel management, and fleet monitoring. The application includes a Java API class that contains a GET request to the premium calculator page.
Zwear discovered that the insurance payment calculator web page on the TTIBI site contained a function for sending email via the server API. This raised suspicions, since theoretically it was possible to send emails on behalf of the company through such a mechanism.
The researcher sent an email on behalf of Eicher Motors
When Zvear tried to use the discovered API to send a message, instead of the expected "401 – Unauthorized Error" error, he received server logs revealing the password (in Base64 encoding) from the Eicher Motors account in Microsoft Office 365, which was used to send automatic emails to customers from the noreply@address.
The email was returned with a server error that showed the email sending log. The encoded Microsoft Office 365 password is displayed here
Most worryingly, it was possible to access the contents of all emails sent to customers through the account, including insurance policies with personal information and links to reset passwords, which could lead to the theft of accounts. In total, 657,000 emails were disclosed, which was about 25 GB of data.
Zvear reported the problem in August 2023 to the Computer Emergency Response Team of India (CERT – IN), as the vulnerability did not fall under the Toyota vulnerability disclosure program in HackerOne. In October, it was announced that the problem was partially fixed by adding authentication checks for sending emails.
However, according to Zwear, TTIBI did not take proper measures and did not change the password even 5 months after the problem was discovered. TTIBI and Eicher Motors did not respond to requests for comment.
Toyota Tsusho Insurance Broker India (TTIBI), a joint Indian-Japanese insurance company, has discovered a security issue that led to the leak of more than 650,000 customer emails hosted on Microsoft servers. The privacy breach was discovered by a cybersecurity researcher.
The problem was an incorrectly configured server, and as it turned out, it was not completely resolved. Despite the fact that the researcher reported it 5 months ago, the company still hasn't changed the password for the affected account.
Eaton Zwear, a researcher at Traceable AI, described how he discovered the vulnerability when analyzing an Android app from the Indian car company Eicher Motors. The app, designed for various automotive services, included an API interface that led to information disclosure.
The My Eicher Android app offers a variety of vehicle-related services, such as predicting equipment uptime, fuel management, and fleet monitoring. The application includes a Java API class that contains a GET request to the premium calculator page.
Zwear discovered that the insurance payment calculator web page on the TTIBI site contained a function for sending email via the server API. This raised suspicions, since theoretically it was possible to send emails on behalf of the company through such a mechanism.
The researcher sent an email on behalf of Eicher Motors
When Zvear tried to use the discovered API to send a message, instead of the expected "401 – Unauthorized Error" error, he received server logs revealing the password (in Base64 encoding) from the Eicher Motors account in Microsoft Office 365, which was used to send automatic emails to customers from the noreply@address.
The email was returned with a server error that showed the email sending log. The encoded Microsoft Office 365 password is displayed here
Most worryingly, it was possible to access the contents of all emails sent to customers through the account, including insurance policies with personal information and links to reset passwords, which could lead to the theft of accounts. In total, 657,000 emails were disclosed, which was about 25 GB of data.
Zvear reported the problem in August 2023 to the Computer Emergency Response Team of India (CERT – IN), as the vulnerability did not fall under the Toyota vulnerability disclosure program in HackerOne. In October, it was announced that the problem was partially fixed by adding authentication checks for sending emails.
However, according to Zwear, TTIBI did not take proper measures and did not change the password even 5 months after the problem was discovered. TTIBI and Eicher Motors did not respond to requests for comment.
