A security researcher discovered that Toyota Tsusho Insurance Broker India (TTIBI), an Indo-Japanese insurance joint venture, ran a misconfigured server that exposed more than 650,000 Microsoft-hosted emails to customers.
The problem may not be completely resolved. When the researcher disclosed the vulnerability on Wednesday — five months after the private disclosure — the company had not yet changed the password for the affected account.
Eaton Zephyr, a security researcher at Traceable AI, posted a description of how he discovered the issue by examining an Android app created by Eicher Motors, an India-based automotive company that has a subdomain (eicher.ttibi.co.in) for its subdomain. Car insurance premium calculator on the TTIBI website.
The My Eicher Android app offers several vehicle-related services such as predictive runtime, fuel management and fleet monitoring. As Zveare discovered, it includes a Java API class that contains a GET request to the featured calculator page.
Zveare then checked the calculator web page on the TTIBI website and saw that it included a client-side function that generated a request to send an email using the server-side API.
“This caught my attention because this was a client-side email submission mechanism,” he wrote in a post describing his findings. “If it worked, I could send an email with any subject and text to anyone, and it would come from a real Eicher email address.”
Zveare wasn’t expecting much because the request token includes a Bearer Authorization header with a cryptographic token which should have limited API use for an authenticated user. However, he tried to craft an API request to send a message anyway.
“I was expecting it to come back with ‘401 – Unauthorized,’ but what actually came back surprised me,” he wrote. “Not only was the email not sent successfully, it came with a server error that revealed the email’s sending history.”
The log file returned with the error response amplified the severity of the poor implementation of the API because it included the Base64 encoded password for the associated Microsoft Office 365 email account.
The password was linked to an Eicher noreply account, which Zveare explained was used to send automated emails to customers. Sometimes the accounts may not be simple aliases for email sending services like SendGrid or Postmark, he wrote. Or they may be actual accounts that humans can use and log into.
Zveare found a worst-case scenario: Eicher’s “noreplyeicher@ttibi.co.in” email account, hosted by Microsoft, could be logged into and contained records of everything emailed to customers, including insurance policies filled with personal information and links to Password reset that can be used to hijack customers’ insurance accounts. 657,000 emails can be accessed, amounting to about 25GB of data.
Zephyr said he reported the issue on August 7, 2023 to the Computer Emergency Response Team in India because the vulnerability was not covered under Toyota’s HackerOne vulnerability disclosure program. The API is said to be fixed by October 18 with the addition of an authentication check for email sending.
But Zephyr fears that TTIBI has not moved.
“More than five months later, TTIBI still has not changed the email account password despite being aware of the vulnerability,” he wrote. “I checked it again today and I was still able to log in (proof). If I were them, I wouldn’t want a random stranger having access to their corporate cloud for five months. This is very disappointing, and I hope They are improving their security posture so that their customer data is not leaked.”
TTIBI and Eicher did not immediately respond to requests for comment. ®