January 18, 2024 at 07:24AM
Security researcher Eaton Zveare gained unauthorized access to customer information in Toyota Tsusho Insurance Broker India’s email account due to misconfigurations and vulnerabilities. Zveare accessed the [email protected] email account, exposing customer data, OTPs, and access to TTIBI’s Microsoft cloud account. TTIBI took two months to address the issues, but the ‘noreply’ email account’s password remained unchanged.
Based on the meeting notes, the key takeaways are:
1. Security vulnerabilities at Toyota Tsusho Insurance Broker India (TTIBI) allowed researcher Eaton Zveare to gain unauthorized access to customer information stored in an email account.
2. The unauthorized access was facilitated by misconfigurations and security issues, including a dedicated Eicher Motors subdomain with a client-side email-sending mechanism, lack of API authentication, API response leaking information, absence of two-factor authentication, and retention of all emails sent and received from the account.
3. Zveare was able to access sensitive customer data, password reset links, one-time passwords (OTPs), and insurance policy documents through the compromised email account.
4. Additionally, the access to the email account provided entry to TTIBI’s Microsoft cloud account, including corporate directory, SharePoint, and Teams services.
5. Although TTIBI took two months to address some of the vulnerabilities by disabling the Eicher subdomain and implementing an authentication mechanism for the exposed API, the password for the ‘noreply’ email account remained unchanged when the researcher verified access on January 17.
6. The security issues at TTIBI highlight the importance of promptly addressing vulnerabilities and implementing robust security measures to protect sensitive customer data.
Let me know if you need further details or if there’s anything else you require.