Two different IDOR bugs at mijn.VvAA.nl lead to potential access to data of 130k healthcare providers; including their own cyber risk insurance policy documents and more. | by Jonathan Bouman | Mar, 2024


Today we are going to have a close look at the VvAA, it’s one of the biggest insurance and consulting companies used by doctors and medical clinics in The Netherlands. They state that they represent +130k health care providers. Including me, I’m a member since 2005 and got insurances (no, not the cyber one) since the last 10 years. Why? Because they are a great company with grass roots in the Dutch healthcare, once started by 3 medical doctors 100 years ago.

In other words, they know how doctors think, they are engaged with the community and try to do good; the proof is in the pudding, let’s hack.

“What began in 1924 with 3 doctors has grown into a collective of over 130,000 healthcare professionals. We are their voice in societal and political debates, also providing support with all peripheral matters surrounding healthcare. This enables healthcare professionals and their organizations to focus on their most important task: delivering the best care to patients.” Source

More than a year ago we discussed the data leak at HAwebsso.nl which led to the leak of +15k Dutch doctors their private details, including their email and hashed passwords. This was an interesting finding, as it uncovered a bug that was there for at least +3 years (regarding Archive.org logs maybe even +5 years).

The data obtained in that hack could be easily used to perform spear phishing attacks.

The LHV quickly mitigated the bug and coordinated the disclosure, a great example of how coordinated vulnerability disclosure can be applied in healthcare.

Today we have a look at VvAA. At the time of the discovery (24th of march 2023) of the bug they did not have a proper responsible disclosure or coordinated vulnerability disclosure policy published.

This makes it a bit risky for ethical hackers to test their infrastructure for problems and is a big miss for talent to help them out securing their assets and client data. The good news is that after this report they have implemented the policy!

A few months after this report the CVD policy was published

One might ask themselves, is it unethical to hack a system if you’re not explicitly allowed to hack it?

One might state that doing this sort of security research is serving the public interest and could be compared with being a journalist trying to research stuff that has serious impact on our society. Also see the Code of Conduct of the DIVD:

We are aware that we operate at the edges of what is legally allowed, so we proceed by these three criteria commonly used in court cases on vulnerability disclosures:

Societal need: we do vulnerability disclosure to prevent online damage to as many internet users as possible and don’t serve any particular financial, political or individual interests.

Principle of Proportionality: we serve this need with appropriate means. Our research should increase and not decrease the integrity and availability of online systems.

Principle of Subsidiarity: if several means are available to meet the need, we opt for the one which has the least impact.

A real world example is when the Dutch Journalist Daniel Verlaan hacked the video conference of the EU defence ministers. As far as I know he did not had permission to research it, but he’s not being charged for this hack. Mr Borrell told him during his hack:

“You know it’s a criminal offence, huh? You’d better sign off quickly before the police arrives.” — Mr. Borrell, 21 November 2020

A clear signal we still got work to do convince (political) leadership that we need to endorse ethical journalists/hackers like Daniel. Not charge or intimidate them or even have laws that make their work risky.

A good development is the recent endorsement of DIVD by our Minister of Justice (dutch); as the DIVD scans the full internet non stop for vulnerabilities and responsible disclose those bugs to the owners of the systems. Wherever they are on the world, despite if they have a responsible disclosure policy. Nobody would prosecute a firefighter right? By the way they always look for talent, so join them if you can!

Our ultimate goal for this hack is to obtain everyone’s private insurance policy documents. Who has coverage for ransomware attacks including the guaranteed ransomware pay out? Let’s get those files!

As I need to be really cautious here (no CVD policy) I reached out to a colleague who is also a VvAA insurance customer and asked if she was OK if I tried to obtain her files and policy. She agreed and shared her account details.

Having two accounts on their internal portal helps me finding IDOR bugs in a safe way; I can use the IDs of my friend instead of ‘random’ ones hitting other customers.

Lets start! After logging into my own account I recognize immediately the /s/ in the URL. Which is often an hint that Salesforce is used behind the scenes.

The /s/ part in the url path is a hint their backend could be Salesforce
The source of the page confirms it; Salesforce is used as their backend system

Salesforce works with objects; everything is an object behind the scenes. Your invoice has an object id, your profile has an object id and all the other data stored is reachable referring the ID.

Whenever you are able to find an ID you could construct the url like this:
https://mijn.vvaa.nl/objectidhere Also see this blog for more background information.

While using Burp as a proxy to MITM the traffic I collected object IDs that is saw being used in traffic. One was 0011r00002IXXXXX when I visited my contact details.



Source link