Security News > 2024 > January > Insurance website's buggy API leaked Office 365 password and a giant email trove

Insurance website's buggy API leaked Office 365 password and a giant email trove
2024-01-18 01:58

Toyota Tsusho Insurance Broker India, an Indo-Japanese joint insurance venture, operated a misconfigured server that exposed more than 650,000 Microsoft-hosted email messages to customers, a security researcher has found.

Zveare then examined the calculator web page on the TTIBI website and saw that it included a client-side function that created a request to send email using a server-side API. "This caught my eye because this was a client-side email sending mechanism," he wrote in a post describing his findings.

"Not only did the email successfully send, it came back with a server error that revealed an email sending log."

The log file returned with the error response magnified the severity of the poor API implementation because it included the Base64-encoded password of the associated Microsoft Office 365 email account.

The API is said to have been fixed by October 18 with the addition of an authentication check to send email.

"More than five months later, TTIBI still has not changed the password of the email account despite being aware of the vulnerability," he wrote.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/18/ttibi_office_buggy/