Unauthorized Exposure of Customers PII Data Through Unsecured Web Endpoint and IDOR Vulnerability

TwinTech Solutions team uncovered a critical vulnerability in a one of the major indian financial web application (Shriram Life Insurance Company Limited) . This flaw exposed sensitive customer data including PAN numbers,Bank account details,  policy details, and registration information, Personal address , through a publicly accessible web page. The discovery underscores the importance of proactive security practices and the power of  reconnaissance and OSINT analysis techniques.

The vulnerability was identified during the reconnaissance phase using a technique OSINT and assets discovery. Our team found an important unique web page of the shriramlife assets even which is not indexed in google, with our OSINT skills. This page is featured to search a customers policy details by search-by options which should in internal.

Ex: https://xxx.shriramlife.xx/SLICCCMS/Default.aspx?Source=Source

The application failed to implement proper authentication or session validation for accessing this web page. This page allow anyone to view the customer PII data s just knowing the customer ID EX: xxx1050650ID. Furthermore by simply modifying the customer ID (e.g., changing ` xxx1050660ID` and `xxx1050670ID`, etc.)Like an ascending and descending order, anyone could access other users’ PII data.This allowing anyone could access to private data. Even more concerning an attacker able to get a millions customer details by just IDOR the customer ID.

Upon confirming the severity of the issue, TwinTech Solutions immediately reported the vulnerability to CERT-IN. The response was swift and professional. The issue was acknowledged as critical, and a patch was deployed promptly to secure the endpoint and prevent further data exposure and security risks.

This case highlights the importance of thorough security testing and the value of thinking like an attacker. At TwinTech Solutions, we pride ourselves on our proactive approach and technical depth. By leveraging advanced techniques and automation, we help organizations stay one step ahead of cyber threats.