Vulnerability Intelligence
8
mins read

Case Study: Uncovering a Critical Vulnerability in a Life Insurance App That Compromised User Privacy Through Exposed Sensitive Data and Live Activity

This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

Aarushi Koolwal
April 10, 2024
Green Alert
Last Update posted on
April 10, 2024
Make sure there's no weak link in your supply chain.

2023 was marked by a rise in supply chain attacks. Ensure robust protection across your software supply chain with CloudSEK SVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

This report delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

This case study examines a security lapse within a Life Insurance Mobile Application, highlighting a vulnerability originating from CloudSEK’s supply chain monitoring tool, SVigil. Leveraging this vulnerability, attackers can gain unauthorized access to live user activity and sensitive user information, including personally identifiable information (PII).  

The vulnerability within the internal mobile application used by Life Insurance company agents is the hardcoded IP address pointing to an MQTT server, which allows unauthenticated access to sensitive user data, including real-time snapshots, user statistics, transaction details, and personally identifiable information (PII) such as phone numbers and agent IDs. This exposes users to potential exploitation by attackers who can monitor live user activity and personal messages.

MQTT is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service.

Step-by-Step Process

  • The initial attack vector originates from a supply chain monitoring tool, SVigil.
  1. Hardcoded IP Address Vulnerability: The application contains hardcoded IP addresses directing to internal MQTT servers, making them easily accessible to attackers.
  2. Unauthenticated MQTT Server: Lack of authentication mechanisms on the MQTT servers allows unauthorized access, enabling attackers to view and manipulate data.

  1. Excessive Screen Sharing Permissions: The application requests unnecessary screen sharing permissions, potentially granting attackers access to sensitive user information beyond the intended scope.
  2. MQTT Server Data Exposure: Leveraging knowledge of MQTT and Python, attackers exploit vulnerabilities to intercept real-time snapshots of user devices shared over the application's MQTT server.
  3. Live User Activity Monitoring: Attackers gain the ability to monitor live user activity, including personal messages, by exploiting vulnerabilities within the MQTT server.
  4. PII and Transaction Data Exposure: The application exposes user statistics, transaction data, and personally identifiable information (PII) of agents, including phone numbers and IDs, increasing the risk of unauthorized access and misuse.

Recommendations

  • Immediate IP Address Remediation: Remove hardcoded IP addresses from the application code and implement dynamic server discovery mechanisms to enhance security.
  • Authentication Mechanisms: Implement robust authentication mechanisms for MQTT servers to prevent unauthorized access and ensure data integrity.
  • Reevaluate Screen Sharing Permissions: Review and revise screen sharing permissions to minimize access to sensitive user information and limit potential attack vectors.
  • Data Encryption: Encrypt sensitive data transmitted over MQTT servers to protect against eavesdropping and unauthorized access.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
  • User Education: Provide training and awareness programs for users and agents to enhance security hygiene and prevent inadvertent data exposure.

References

Author

Aarushi Koolwal

Aarushi Koolwal is an avid cyber security learner.

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
October 10, 2024

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Blog Image
Adversary Intelligence
July 29, 2024

Exposing the Exploitation: How CVE-2024-23897 Led to the Compromise of Github Repos via Jenkins LFI Vulnerability

This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.

Blog Image
Adversary Intelligence
May 22, 2024

Behind the Advisory: Decoding Apple’s Alert and Spyware Dilemma

Apple warns of state-sponsored mercenary spyware attacks targeting iPhones in 92 countries. The tech giant links the sophisticated, costly attacks to private spyware firms like NSO Group's Pegasus, often working for governments.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Vulnerability Intelligence

8

min read

Case Study: Uncovering a Critical Vulnerability in a Life Insurance App That Compromised User Privacy Through Exposed Sensitive Data and Live Activity

This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

Authors
Aarushi Koolwal
Aarushi Koolwal is an avid cyber security learner.
Co-Authors
No items found.

Executive Summary

This report delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

This case study examines a security lapse within a Life Insurance Mobile Application, highlighting a vulnerability originating from CloudSEK’s supply chain monitoring tool, SVigil. Leveraging this vulnerability, attackers can gain unauthorized access to live user activity and sensitive user information, including personally identifiable information (PII).  

The vulnerability within the internal mobile application used by Life Insurance company agents is the hardcoded IP address pointing to an MQTT server, which allows unauthenticated access to sensitive user data, including real-time snapshots, user statistics, transaction details, and personally identifiable information (PII) such as phone numbers and agent IDs. This exposes users to potential exploitation by attackers who can monitor live user activity and personal messages.

MQTT is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service.

Step-by-Step Process

  • The initial attack vector originates from a supply chain monitoring tool, SVigil.
  1. Hardcoded IP Address Vulnerability: The application contains hardcoded IP addresses directing to internal MQTT servers, making them easily accessible to attackers.
  2. Unauthenticated MQTT Server: Lack of authentication mechanisms on the MQTT servers allows unauthorized access, enabling attackers to view and manipulate data.

  1. Excessive Screen Sharing Permissions: The application requests unnecessary screen sharing permissions, potentially granting attackers access to sensitive user information beyond the intended scope.
  2. MQTT Server Data Exposure: Leveraging knowledge of MQTT and Python, attackers exploit vulnerabilities to intercept real-time snapshots of user devices shared over the application's MQTT server.
  3. Live User Activity Monitoring: Attackers gain the ability to monitor live user activity, including personal messages, by exploiting vulnerabilities within the MQTT server.
  4. PII and Transaction Data Exposure: The application exposes user statistics, transaction data, and personally identifiable information (PII) of agents, including phone numbers and IDs, increasing the risk of unauthorized access and misuse.

Recommendations

  • Immediate IP Address Remediation: Remove hardcoded IP addresses from the application code and implement dynamic server discovery mechanisms to enhance security.
  • Authentication Mechanisms: Implement robust authentication mechanisms for MQTT servers to prevent unauthorized access and ensure data integrity.
  • Reevaluate Screen Sharing Permissions: Review and revise screen sharing permissions to minimize access to sensitive user information and limit potential attack vectors.
  • Data Encryption: Encrypt sensitive data transmitted over MQTT servers to protect against eavesdropping and unauthorized access.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
  • User Education: Provide training and awareness programs for users and agents to enhance security hygiene and prevent inadvertent data exposure.

References