当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126380

漏洞标题:阳光保险可批量获取被保人的车型/姓名/车牌号码等(易受到车险诈骗)

相关厂商:阳光保险

漏洞作者: prolog

提交时间:2015-07-13 10:40

修复时间:2015-08-28 16:36

公开时间:2015-08-28 16:36

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-14: 厂商已经确认,细节仅向厂商公开
2015-07-24: 细节向核心白帽子及相关领域专家公开
2015-08-03: 细节向普通白帽子公开
2015-08-13: 细节向实习白帽子公开
2015-08-28: 细节向公众公开

简要描述:

阳光保险可批量获取被保人的车型和姓名

详细说明:

1.百度得到有效的保单号
阳光车险正式保单号码:1021205092015004597 10212050720150121
2.车险报案,输入保单号
http://m.sinosig.com/mobile/claimreport/carinsurance/car_claim_report!index.action?WT.ac_id=GW_mobile_index_chexianbaoan&needWxShare=true
返回了车型和车主姓名
{"IDCardNumber":null,"ajaxCode":null,"ajaxStatus":"success","alipayAccount":null,"apiusername":null,"applicantIdNo":null,"applicantIdType":null,"applicantName":"宋伟萍","brandName":"大众汽车SVW71611FS","caseKind":null,"caseKindName":null,"caseNo":null,"claimCustomerNo":null,"claimNo":null,"claimStatusList":null,"claimType":null,"damageArea":null,"damageCase":null,"damageCity":null,"damageDate":null,"damagePlace":null,"damageProv":null,"damageTown":null,"driver":null,"driverMobile":null,"gpsLat":null,"gpsLng":null,"isAlipay":null,"isGuess":null,"licenseNo":"鲁A988CP","licenseNoList":null,"lipeijindu":null,"lossType":null,"mobile":null,"notifyDate":null,"notifyMan":null,"nowDate":null,"ntfmIdentity":null,"payClaimList":null,"payClaimMapList":null,"policyNo":"1021205092015004597","policyNoList":null,"policyNos":"1021205092015004597","reportType":null,"resultMsg":null,"returnMessage":null,"riskCodes":"0509","sequenceNo":null,"source":null,"unPayClaimList":null,"wxId":null}
3.保单号是有序的,下一个1021205092015004598
{"IDCardNumber":null,"ajaxCode":null,"ajaxStatus":"success","alipayAccount":null,"apiusername":null,"applicantIdNo":null,"applicantIdType":null,"applicantName":"赵勇","brandName":"纳智捷DYM7182AAA","caseKind":null,"caseKindName":null,"caseNo":null,"claimCustomerNo":null,"claimNo":null,"claimStatusList":null,"claimType":null,"damageArea":null,"damageCase":null,"damageCity":null,"damageDate":null,"damagePlace":null,"damageProv":null,"damageTown":null,"driver":null,"driverMobile":null,"gpsLat":null,"gpsLng":null,"isAlipay":null,"isGuess":null,"licenseNo":"鲁A2D287","licenseNoList":null,"lipeijindu":null,"lossType":null,"mobile":null,"notifyDate":null,"notifyMan":null,"nowDate":null,"ntfmIdentity":null,"payClaimList":null,"payClaimMapList":null,"policyNo":"1021205092015004598","policyNoList":null,"policyNos":"1021205092015004598","reportType":null,"resultMsg":null,"returnMessage":null,"riskCodes":"0509","sequenceNo":null,"source":null,"unPayClaimList":null,"wxId":null}

jt.PNG


4.同样,找到有效的车牌号冀A526FE,也返回了被保人姓名

jt2.PNG

漏洞证明:

...

修复方案:

报案查询时进行多因素控制,比如需要输入被保人的身份证和姓名

版权声明:转载请注明来源 prolog@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-07-14 16:35

厂商回复:

CNVD确认所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无