IDOR leads to leak medical insurance documents

Hi everyone, today I will talk about IDOR vulnerability that I found it in a insurance company that leaks the medical insurance documents of nearly 100,000 customers.

At first, I will tell you a little story about how I found this company?

One day, I applied for a visa to travel to Saudi Arabia, and among the requirements for obtaining a visa is to obtain medical insurance from an insurance company, I chose this company and let’s call it Example company. After I paid the fees for this company, they sent me URL of my medical insurance document, and the URL was like this:

https://document.example.com/1682425711431052.pdf

The file name was the same as the insurance policy number, so if you knew someone else’s insurance policy number, you will be able to get his insurance document. But at that time I didn’t pay any attention to the matter.

How I found the vulnerability?

I received an email from the company offering a service regarding the risks of infection from Corona Virus (Covid-19) and to pay and get this service, “Please click on the following link”.

When the link is opened I found my passport number and insurance policy number in front of me, I threw quick look at what the URL looks like, it was like this:

https://www.example.com/en/AddBenefit/62251

I changed the number in the endpoint to 62252.

Surprisingly, another customer’s page appeared to me containing his passport number and his policy number.

After that I sent the request to burp to find a way to dump all the medical insurance documents at once. At first I have to fetch all the policy number of all customers, so I sent the request to intruder.

The request: https://www.example.com/en/AddBenefit/$Payload

Payload Options [Numbers]: From 00000 To 90000, Step:1

Then I used Grep - Extract option to extract the policy number from each response.

Grep - Extract option

The attack was successful and I managed to get the policy numbers.

Note: my purpose was not to dump all the medical documents but I did this attack only to escalate the severity, and actually the payloads was only 100 numbers.

I copied all the policy numbers from burp, then I put them in a file named policyNumbers.txt. Then I created a small script that takes the policy numbers from policyNumbers.txt file and give it to the URL that downloads the medical insurance document.

The script was like this:

#! /bin/bashfor num in `cat policyNumbers.txt`
do
wget "https://document.example.com/$num.pdf" -O $num.pdf
mv $num.pdf files/
done

The insurance documents also contained the customer’s visa reference number, and through the Saudi Ministry of Foreign Affairs website, you can get the customer’s visa document through the passport number and visa reference number.

Visa Document

I searched for the security team that they working in this company via LinkedIn to inform them of this vulnerability, but I did not receive any response from them.

In the end, I sent an email to Saudi CERT and I informed them of the vulnerability. They in turn contacted the company to fix the vulnerability.

Thanks for your reading, I hope my story was useful.

--

--

--

https://www.twitter.com/3bodymo_

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How To Retrieve Your Logged out Partnerstack Account

{UPDATE} down hill buss buss simulator Hack Free Resources Generator

Why You Should Not Be Using Binance

10 Tools that can Help You To Become Anonymous

6 Tools for Privacy Lovers

{UPDATE} Bubble Alien Hack Free Resources Generator

COVID-19 themed cyberattacks

Safuu Has Been Born!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abdullah Mohamed

Abdullah Mohamed

https://www.twitter.com/3bodymo_

More from Medium

From Simple Recon to Reflected XSS

Bypassing HttpOnly with phpinfo file

Hunting for Bugs in File Upload Feature:

Finding and Exploiting SSRF Vulnerabilities