Vulnerability Intelligence
8
mins read

Case Study: Uncovering a Critical Vulnerability in a Life Insurance App That Compromised User Privacy Through Exposed Sensitive Data and Live Activity

This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

Aarushi Koolwal
April 10, 2024
Green Alert
Last Update posted on
April 10, 2024
Make sure there's no weak link in your supply chain.

2023 was marked by a rise in supply chain attacks. Ensure robust protection across your software supply chain with CloudSEK SVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

This report delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

This case study examines a security lapse within a Life Insurance Mobile Application, highlighting a vulnerability originating from CloudSEK’s supply chain monitoring tool, SVigil. Leveraging this vulnerability, attackers can gain unauthorized access to live user activity and sensitive user information, including personally identifiable information (PII).  

The vulnerability within the internal mobile application used by Life Insurance company agents is the hardcoded IP address pointing to an MQTT server, which allows unauthenticated access to sensitive user data, including real-time snapshots, user statistics, transaction details, and personally identifiable information (PII) such as phone numbers and agent IDs. This exposes users to potential exploitation by attackers who can monitor live user activity and personal messages.

MQTT is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service.

Step-by-Step Process

  • The initial attack vector originates from a supply chain monitoring tool, SVigil.
  1. Hardcoded IP Address Vulnerability: The application contains hardcoded IP addresses directing to internal MQTT servers, making them easily accessible to attackers.
  2. Unauthenticated MQTT Server: Lack of authentication mechanisms on the MQTT servers allows unauthorized access, enabling attackers to view and manipulate data.

  1. Excessive Screen Sharing Permissions: The application requests unnecessary screen sharing permissions, potentially granting attackers access to sensitive user information beyond the intended scope.
  2. MQTT Server Data Exposure: Leveraging knowledge of MQTT and Python, attackers exploit vulnerabilities to intercept real-time snapshots of user devices shared over the application's MQTT server.
  3. Live User Activity Monitoring: Attackers gain the ability to monitor live user activity, including personal messages, by exploiting vulnerabilities within the MQTT server.
  4. PII and Transaction Data Exposure: The application exposes user statistics, transaction data, and personally identifiable information (PII) of agents, including phone numbers and IDs, increasing the risk of unauthorized access and misuse.

Recommendations

  • Immediate IP Address Remediation: Remove hardcoded IP addresses from the application code and implement dynamic server discovery mechanisms to enhance security.
  • Authentication Mechanisms: Implement robust authentication mechanisms for MQTT servers to prevent unauthorized access and ensure data integrity.
  • Reevaluate Screen Sharing Permissions: Review and revise screen sharing permissions to minimize access to sensitive user information and limit potential attack vectors.
  • Data Encryption: Encrypt sensitive data transmitted over MQTT servers to protect against eavesdropping and unauthorized access.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
  • User Education: Provide training and awareness programs for users and agents to enhance security hygiene and prevent inadvertent data exposure.

References

Author

Aarushi Koolwal

Aarushi Koolwal is an avid cyber security learner.

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
February 19, 2024

Inaccurate Reporting Regarding RBI Data Breach: CyberExpress by Cyble Erroneously Links Rural Business Incubator (RBI) to Reserve Bank of India and Issues public Advisory

CloudSEK XVigil detected a security breach impacting the Indian Rural Business Incubator. Additionally, CloudSEK noticed an advisory from CyberExpress by Cyble that incorrectly linked the data leak to the Reserve Bank of India, creating unnecessary panic. 

Blog Image
Vulnerability Intelligence
June 16, 2023

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Blog Image
Vulnerability Intelligence
April 28, 2023

Users of Popular Android Applications Risk Getting Compromised Via Highly Privileged Device Migration Tools

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Vulnerability Intelligence

8

min read

Case Study: Uncovering a Critical Vulnerability in a Life Insurance App That Compromised User Privacy Through Exposed Sensitive Data and Live Activity

This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

Authors
Aarushi Koolwal
Aarushi Koolwal is an avid cyber security learner.
Co-Authors
No items found.

Executive Summary

This report delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

This case study examines a security lapse within a Life Insurance Mobile Application, highlighting a vulnerability originating from CloudSEK’s supply chain monitoring tool, SVigil. Leveraging this vulnerability, attackers can gain unauthorized access to live user activity and sensitive user information, including personally identifiable information (PII).  

The vulnerability within the internal mobile application used by Life Insurance company agents is the hardcoded IP address pointing to an MQTT server, which allows unauthenticated access to sensitive user data, including real-time snapshots, user statistics, transaction details, and personally identifiable information (PII) such as phone numbers and agent IDs. This exposes users to potential exploitation by attackers who can monitor live user activity and personal messages.

MQTT is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service.

Step-by-Step Process

  • The initial attack vector originates from a supply chain monitoring tool, SVigil.
  1. Hardcoded IP Address Vulnerability: The application contains hardcoded IP addresses directing to internal MQTT servers, making them easily accessible to attackers.
  2. Unauthenticated MQTT Server: Lack of authentication mechanisms on the MQTT servers allows unauthorized access, enabling attackers to view and manipulate data.

  1. Excessive Screen Sharing Permissions: The application requests unnecessary screen sharing permissions, potentially granting attackers access to sensitive user information beyond the intended scope.
  2. MQTT Server Data Exposure: Leveraging knowledge of MQTT and Python, attackers exploit vulnerabilities to intercept real-time snapshots of user devices shared over the application's MQTT server.
  3. Live User Activity Monitoring: Attackers gain the ability to monitor live user activity, including personal messages, by exploiting vulnerabilities within the MQTT server.
  4. PII and Transaction Data Exposure: The application exposes user statistics, transaction data, and personally identifiable information (PII) of agents, including phone numbers and IDs, increasing the risk of unauthorized access and misuse.

Recommendations

  • Immediate IP Address Remediation: Remove hardcoded IP addresses from the application code and implement dynamic server discovery mechanisms to enhance security.
  • Authentication Mechanisms: Implement robust authentication mechanisms for MQTT servers to prevent unauthorized access and ensure data integrity.
  • Reevaluate Screen Sharing Permissions: Review and revise screen sharing permissions to minimize access to sensitive user information and limit potential attack vectors.
  • Data Encryption: Encrypt sensitive data transmitted over MQTT servers to protect against eavesdropping and unauthorized access.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
  • User Education: Provide training and awareness programs for users and agents to enhance security hygiene and prevent inadvertent data exposure.

References