"Customer Information of Toyota Insurance Company Exposed Due to Misconfigurations"
According to security researcher Eaton Zveare, a series of misconfigurations and security vulnerabilities allowed him to access customer information stored in an email account at Toyota Tsusho Insurance Broker India (TTIBI). The researcher noted that the unauthorized access was possible because the TTIBI site had a dedicated Eicher Motors subdomain with a premium calculator. TTIBI is an insurance broker under the Toyota Tsusho Insurance Management Corporation in Japan and appears to have a close partnership with Eicher Motors, an Indian automotive company that makes motorcycles and commercial vehicles. According to Zveare, he gained access to the noreplyeicher@ttibi.co.in email address after discovering that the Eicher Android application contained a link to a premium calculator on ttibi.co.in, which exposed a client-side email-sending mechanism in the page source. The researcher then created an API request to check whether authentication was required, and was able to successfully send an email, but also received a server error that included the base64 encoded password for the "noreply" email account. Zveare noted that the noreply account could be the most important account in an organization because it could potentially have a record of everything they have ever sent to customers. In TTIBI's case, that is exactly what it is, and the amount of information revealed is enormous. Within the email account, Zveare found records of all messages sent to customers, which included customer information, password reset links, one-time passwords (OTPs), and insurance policy documents. Additionally, access to the email account also provided access to TTIBI's Microsoft cloud account, including to the corporate directory and to SharePoint and Teams services.