漏洞详情

披露状态:

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-14: 厂商已经确认,细节仅向厂商公开
2015-07-24: 细节向核心白帽子及相关领域专家公开
2015-08-03: 细节向普通白帽子公开
2015-08-13: 细节向实习白帽子公开
2015-08-28: 细节向公众公开

简要描述:

阳光保险可批量获取被保人的车型和姓名

详细说明:

1.百度得到有效的保单号
阳光车险正式保单号码:1021205092015004597 10212050720150121
2.车险报案,输入保单号
http://m.sinosig.com/mobile/claimreport/carinsurance/car_claim_report!index.action?WT.ac_id=GW_mobile_index_chexianbaoan&needWxShare=true
返回了车型和车主姓名
{"IDCardNumber":null,"ajaxCode":null,"ajaxStatus":"success","alipayAccount":null,"apiusername":null,"applicantIdNo":null,"applicantIdType":null,"applicantName":"宋伟萍","brandName":"大众汽车SVW71611FS","caseKind":null,"caseKindName":null,"caseNo":null,"claimCustomerNo":null,"claimNo":null,"claimStatusList":null,"claimType":null,"damageArea":null,"damageCase":null,"damageCity":null,"damageDate":null,"damagePlace":null,"damageProv":null,"damageTown":null,"driver":null,"driverMobile":null,"gpsLat":null,"gpsLng":null,"isAlipay":null,"isGuess":null,"licenseNo":"鲁A988CP","licenseNoList":null,"lipeijindu":null,"lossType":null,"mobile":null,"notifyDate":null,"notifyMan":null,"nowDate":null,"ntfmIdentity":null,"payClaimList":null,"payClaimMapList":null,"policyNo":"1021205092015004597","policyNoList":null,"policyNos":"1021205092015004597","reportType":null,"resultMsg":null,"returnMessage":null,"riskCodes":"0509","sequenceNo":null,"source":null,"unPayClaimList":null,"wxId":null}
3.保单号是有序的,下一个1021205092015004598
{"IDCardNumber":null,"ajaxCode":null,"ajaxStatus":"success","alipayAccount":null,"apiusername":null,"applicantIdNo":null,"applicantIdType":null,"applicantName":"赵勇","brandName":"纳智捷DYM7182AAA","caseKind":null,"caseKindName":null,"caseNo":null,"claimCustomerNo":null,"claimNo":null,"claimStatusList":null,"claimType":null,"damageArea":null,"damageCase":null,"damageCity":null,"damageDate":null,"damagePlace":null,"damageProv":null,"damageTown":null,"driver":null,"driverMobile":null,"gpsLat":null,"gpsLng":null,"isAlipay":null,"isGuess":null,"licenseNo":"鲁A2D287","licenseNoList":null,"lipeijindu":null,"lossType":null,"mobile":null,"notifyDate":null,"notifyMan":null,"nowDate":null,"ntfmIdentity":null,"payClaimList":null,"payClaimMapList":null,"policyNo":"1021205092015004598","policyNoList":null,"policyNos":"1021205092015004598","reportType":null,"resultMsg":null,"returnMessage":null,"riskCodes":"0509","sequenceNo":null,"source":null,"unPayClaimList":null,"wxId":null}

jt.PNG


4.同样,找到有效的车牌号冀A526FE,也返回了被保人姓名

jt2.PNG

漏洞证明:

...

修复方案:

报案查询时进行多因素控制,比如需要输入被保人的身份证和姓名

标签: none

评论已关闭