Security firm finds flaws in Indian online insurance broker


NEW DELHI (AP) — Last month, a small cybersecurity firm told a major Indian online insurance broker that it had discovered critical vulnerabilities in the company’s Internet network that could expose personal data and sensitive financials of at least 11 million customers to malicious hackers.

The little-known firm followed the standard ethical hacker playbook, giving insurance aggregator Policybazaar time to fix flaws and notify the authorities. He didn’t ask for pre-approval to test Policybazaar’s system but said he felt justified, in part because he had employees who were customers.

A week later, on July 24, Policybazaar, which is listed on the stock exchange and counts the Chinese conglomerate Tencent among its investors, notified Indian stock exchanges had been violated illegally but “no significant customer data was exposed”.

He didn’t say much more.

The startup, CyberX9, is not keeping quiet. Its chief executive wants Indians to know that the “extremely critical multiple” vulnerabilities were so easy to find that it was almost as if Policybazaar intentionally left itself open to criminal or nation-state intrusion.

“It would have been extremely easy for anyone with a good computer/IT knowledge to discover, mine and leak all of this data,” said Himanshu Pathak, director of CyberX9.

The data includes not only names, home and email addresses, dates of birth and phone numbers, but also what people need to show to obtain insurance: digital copies of identity documents, health and financial information, including tax returns, payslips, bank statements, driver’s licenses and birth certificates. certificates, CyberX9 said.

A broker for multiple insurers and policy types that claims 90% of India’s online insurance aggregator market, Policybazaar collects data through user uploads and self-generated registrations. It included questionnaires that members of the Indian Armed Forces filled out – the company offers various insurance policies tailored to them – listing their ranks, branch of service and whether they work in hazardous areas and handle weapons and explosives. .

The Associated Press reached three people listed in sample data, including copies of sensitive personal documents provided by CyberX9, a soldier stationed in Ladakh, a region in conflict with Pakistan and China. All three have confirmed that they are Policybazaar customers. All said they had not been informed of any security incident.

According to documents on Policybazaar’s parent company websitePB Fintech Ltd., 56 million people were registered on the site at the end of December, including 11 million “merchant customers” who took out 25 million insurance policies.

Policybazaar did not respond to questions from the AP except to say it had fixed the identified vulnerabilities and referred the incident to outside advisers for a forensic audit.

He did not confirm that CyberX9 alerted him to the vulnerabilities, describe how his computer system was “subject to unlawful and authorized access” or explain what customer data was exposed. Policybazaar said the flaws were identified on July 19, the day after CyberX9 says it alerted brokerage first.

Pathak provided the AP with copies of his email exchanges with India’s Computer Emergency Response Team (CERT-IN), which said on July 25 that Policybazaar reported that the vulnerabilities had been patched, and with a national cybersecurity official, Lt. Gen. Rajesh Pant. , who told Pathak in a July 26 email, “Thank you for informing. Must take action against Policy Bazaar.

Neither CERT-IN nor Pant responded to AP emails seeking comment.

CyberX9 said it decided to probe Policybazaar’s network for vulnerabilities after learning during its IPO in November how much sensitive and confidential data the company was handling.

He said he found five vulnerabilities and was able to recover user data without authorization checks – and there were no restrictions on the number of times an unauthorized user could perform such a recovery.

The researchers tested the vulnerabilities “fully automating them using very simple scripts, all without facing any viable restrictions from your systems,” CyberX9 told Policybazaar in the technical report it has. sent to the company last month.

“Given the simplicity and ease of discovering and exploiting these vulnerabilities, Policybazaar has clearly left the doors open for threat actors to invade the lives of its users.”

It was unclear whether CyberX9 would face legal repercussions for probing Policybazaar’s system.

The incident highlights the gray area in which many security researchers operate around the world, including in India. Bona fide security researchers keen to prevent malicious hacks and ransomware attacks should exercise caution in India, as its Computer Crimes Act makes no distinction between maliciousness and ethics when it comes to identify and exploit weaknesses in software code.

“There’s an ambiguity in the law – it says you can’t test without permission and only after that can you probe,” said Apar Gupta, executive director of the Internet Freedom Foundation at Aim. non-profit.

CERT-IN released a responsible disclosure policy in September offering good faith guidelines for hackers, he said, but it includes a disclaimer that nods to ambiguity. US law is also ambiguous, although the US Department of Justice announced a new policy in May stating that “good faith security research should not be charged for”.

Sandeep Kamble, founder of India’s SecureLayer7, said the judiciary is “completely immature” in its handling of such cases, as judges generally lack technical acumen. This means that the system favors the brash and the daring, who better have good lawyers too.

Kamble and Gupta said it appears CyberX9 researchers, as Policybazaar customers, had good reason to probe the company’s digital edifice for easily exploitable flaws as long as they did. responsible manner.

In its report to Policybazaar, CyberX9 said it would be happy to receive a so-called “bug bounty” reward – which some companies usually pay researchers for good faith identification of flaws – “although this is not not necessary”.

Pathak said no such reward was paid.

India, with 800 million internet users, also has no data protection law, even though the country’s highest court in 2017 deemed privacy a fundamental right and ordered the government to develop legislation. In parliament, the bill has been held up by criticism of certain provisions, including one that allowed the government to access personal data in the name of “sovereignty”.

Parliament last week withdrew the bill, saying it would restart the process.

Digital experts say a data protection law is needed in India, where financial fraud and data leaks are rampant. His absence has exacerbated privacy concerns in the country, where past incidents have seen private companies and the government leak personal data.


Bajak reported from Boston.


Comments are closed.