IDOR leads to leak medical insurance documents

Hi everyone, today I will talk about IDOR vulnerability that I found it in a insurance company that leaks the medical insurance documents of nearly 100,000 customers.

One day, I applied for a visa to travel to Saudi Arabia, and among the requirements for obtaining a visa is to obtain medical insurance from an insurance company, I chose this company and let’s call it Example company. After I paid the fees for this company, they sent me URL of my medical insurance document, and the URL was like this:

https://document.example.com/1682425711431052.pdf

The file name was the same as the insurance policy number, so if you knew someone else’s insurance policy number, you will be able to get his insurance document. But at that time I didn’t pay any attention to the matter.

I received an email from the company offering a service regarding the risks of infection from Corona Virus (Covid-19) and to pay and get this service, “Please click on the following link”.

When the link is opened I found my passport number and insurance policy number in front of me, I threw quick look at what the URL looks like, it was like this:

https://www.example.com/en/AddBenefit/62251

I changed the number in the endpoint to 62252.

Surprisingly, another customer’s page appeared to me containing his passport number and his policy number.

After that I sent the request to burp to find a way to dump all the medical insurance documents at once. At first I have to fetch all the policy number of all customers, so I sent the request to intruder.

The request: https://www.example.com/en/AddBenefit/$Payload

Payload Options [Numbers]: From 00000 To 90000, Step:1

Then I used Grep - Extract option to extract the policy number from each response.

Grep - Extract option

The attack was successful and I managed to get the policy numbers.

Note: my purpose was not to dump all the medical documents but I did this attack only to escalate the severity, and actually the payloads was only 100 numbers.

I copied all the policy numbers from burp, then I put them in a file named policyNumbers.txt. Then I created a small script that takes the policy numbers from policyNumbers.txt file and give it to the URL that downloads the medical insurance document.

The script was like this:

# /bin/bashfor num in `cat policyNumbers.txt`
do
wget "https://document.example.com/$num.pdf" -O $num.pdf
mv $num.pdf files/
done

The insurance documents also contained the customer’s visa reference number, and through the Saudi Ministry of Foreign Affairs website, you can get the customer’s visa document through the passport number and visa reference number.

Visa Document

I searched for the security team that they working in this company via LinkedIn to inform them of this vulnerability, but I did not receive any response from them.

In the end, I sent an email to Saudi CERT and I informed them of the vulnerability. They in turn contacted the company to fix the vulnerability.

Thanks for your reading, I hope my story was useful.