Tuesday, June 23, 2015

Israeli Investment Home Exposes Client Data


Every now and then, we are required to provide our personal data to a big company. Sometimes, it is really required, like payment details for instance, in order to pay for the service, but usually, they need our data because they have to fill in a form. so they ask you what's your favorite color, what is your mother's maiden name or where you live.

Time passes, and some guy in the big company decides, that it is a good idea to connect this database to the Internet, or to copy it to the company's website, so the clients would feel like the company knows its clients personally and cares about them. 

So far - so good, but what happens when in the progress of modifying the website, people doing all the work don't think enough of the security consequences of their product? Sometimes, it can lead to user data expose. Our personal data. It can happen even in the United States Government: http://thehackernews.com/2015/06/china-data-theft.html


In other words you put your money in this place and hope that they handle it carefully. In order to see what's up with your money you need to log in. Let's see this:





Interesting: only one detail, the israeli Id number, and what happens next ?



Cool, my details without any authentication.
Can we do this for other people too ? 


Disclaimer 


This post describes how to collect user data. In some countries, this may be illegal, in addition, if you keep and or possess the collected data this would be illegal as well. 

I reported the security breach to the investment home, and created this Proof of Concept in order to make it clear that the breach must be fixed soon.

Preparation for the attack


So quick look at the Html\javascript: I did not find any reference to a NoBot, or reCaptcha, or other prevention. Moreover, I did not found and noticeable prevention cookie, like F5s ASM or Impervas SecureSphere. The only problem I can face is a rate limiting, which in theory can recognize that it is weird that one IP address creates so many requests to the single URL. If I was an attacker, I would probably used TOR or another anonymizing proxy, but since all I am doing is proving a point, I will just write a code that is slow enough that no one will care about


Attack

The "attack" does no harm to the servers nor to the data. I wrote a small script that will work in the following way:

  • Generate a number of 8 or 9 digits
  • Check if the number complies to the Israeli ID number standard https://github.com/eliuha/pyIsraeliId
  • Create a request to the Join.aspx on the server
  • Look for the user details in the response

Data


I ran the script for a while and I was able to collect the some personal data of the clients of  the investment home. The details are masked here in order to protect the people privacy 




Reporting

From my prior experience reporting a remote exploit to a big company is a tricky thing, not because they don't care about it, but because they don't understand the meaning of the vulnerability and the damage that they can cause to their client.

As a Financial company, the company must comply to some kind of regulation like the "Financial Bodies Data Protection Act "

http://www.this.co.il/getdoc/8d398da6-3929-484a-a41e-f14e164035a3/gufim-mosdiim.aspx



Update 1:   16/06/2015


I did not find any Security Operation Center that well help to alert the company, but, Israel is a small place, and it was relatively easy to find the CISO of the investment home. The guy sounded very responsible and promised that they will fix the vulnerability and update me when it happens.

Update 2: 21/06/2015

Nothing happened. The vulnerability still exists and the if my math is correct, using my inefficient rate, I would have collected about 10 000 records of customers personal data. I'll mail their internal supervisor, maybe they just forgot.

Turns out that Israeli Ministry of Finance has a list of internal supervisors, for the insurance companies:
http://mof.gov.il/hon/Information-entities/Received-public-entities/Pages/Consumer-Complaints-Officers-provident-funds.aspx



Update 3: 22/06/2015

They called me and told that the site was removed. 


Update 4: 19/08/2015


Now they have CAPTCHA that deserves it's own post. 

https://info.yl-invest.co.il/GIBWeb/Screens/shared/CaptchaImage.axd?guid=af4438ea-307e-4bfb-b06c-609dfdcb865a

I will have more writing to do tonight