Overview:
During a recent security assessment, TwinTech Solutions identified a critical vulnerability in the web application of a leading Indian insurance and financial services provider(Shriram Life Insurance Company Limited). The flaw allowed anyone to gain real-time access of a customer portal accounts using only the user ID, potentially enabling full account takeover and exposure of sensitive personal information.
Initial Indicator of a Vulnerability:
The vulnerability was identified during the enumeration phase, Our team found that the application is exposing the specific error while enter the invalid usedID in a forgot password page. This proves  the forgot password flow leaks account existence information. The valid user IDs were gathered through publicly available information, making the attack even more feasible.
Misconfigured verfication flow in password reset function:
While knowing the valid customer userID , Our team tested the password reset flow for that valid userID. Once set a new password and if submit, it will send a OTP to corresponding customer mobile number. However once canceled the OTP verfication. The application accept the new password for that customer UserID and allow us to login.
Authentication Integrity Breakdown:
The newly created password was activated without restrictions. Additionally, Our team identified a back-end logic flaw allowing both the old and new passwords to remain valid simultaneously for the same account, resulting in multiple active passwords for a single user”, Like one account = Multiple passwords, And it allow to access the customer dashboard by both new and old password.
Risk Classification:
This is not a minor security issue. It is a critical vulnerability that allows attackers to bypass the password reset validation process, create multiple valid passwords for a single user account, and maintain persistent unauthorized access within the system.
Responsible Disclosure and Remediation:
Upon confirming the severity of the issue, TwinTech Solutions immediately reported the vulnerability to CERT-IN. The response was swift and professional. The issue was acknowledged as critical, and a patch was deployed promptly to secure the endpoint and prevent further data exposure.
Conclusion:
This case highlights the importance of thorough security testing and the value of thinking like an attacker. At TwinTech Solutions, we pride ourselves on our proactive approach and technical depth. By leveraging advanced techniques and automation, we help organizations stay one step ahead of cyber threats.
Security isn’t just about tools , it’s about mindset and proactive skills action.
