Table of
Contents

Banner for article showing redacted content and PNB logo

[.c-text-bg-red]Policybazaar[.c-text-bg-red], [.c-text-32] a major Indian insurance aggregator funded by a [.c-text-dot-underline]Chinese[.c-text-dot-underline][.c-text-32], [.c-text-bg-red]exposed sensitive[.c-text-bg-red][.c-text-bg-red] and confidential[.c-text-bg-red] [.c-text-bg-red]personal, [.c-text-bg-red][.c-text-bg-red]health, [.c-text-bg-red][.c-text-bg-red]and financial data [.c-text-bg-red][.c-text-bg-pink]of around[.c-text-bg-pink] [.c-text-800-2]56.4 million[.c-text-800-2] [.c-text-bg-pink]of its customers including[.c-text-bg-pink] [.c-highligted_text]defense personnels [.c-highligted_text]and potentially compromises [.c-highlighted]national security[.c-highlight-yellow][.c-highlight-yellow][.c-highlighted]

"Shall initiate action against Policybazaar" - India's National Cyber Security Coordinator (NCSC), Prime Minister Office of India

✍️10 August 2022

[.c-box-inline]Summary[.c-box-inline]

CyberX9's cyber security research team discovered multiple (total of five) critical security vulnerabilities in Policybazaar, a major Indian insurance aggregator funded by a Chinese company, Tencent Holdings. Policybazaar exposed data of around [.c-text-bg-red]56.4 million customers including Indian defense personnels.[.c-text-bg-red]

Using the discovered critical vulnerabilities in Policybazaar, Policybazaar exposed all confidential and sensitive personal identification information (PII), health information, financial information and copies of government identification documents (Aadhaar, Passport, etc.) of around 56.4 million customers — including lots of Indian defense personnels. (1)

Policybazaar is an Indian insurance aggregator funded by a Chinese company. Policybazaar claims to have 56.4 million registered customers and India’s largest digital insurance market share of 93.4%.

[.c-script-wrapper-2][.c-box-script-2]The data of around [.c-text-bg-red]56.4 million[.c-text-bg-red] people exposed to the [.c-text-bg-red]whole internet by Policybazaar[.c-text-bg-red] included but not limited to, [.c-text-bg-pink]customer’s full name[.c-text-bg-pink], [.c-text-bg-pink]date of birth[.c-text-bg-pink], [.c-text-bg-pink]complete residential address[.c-text-bg-pink], [.c-text-bg-pink]email address[.c-text-bg-pink], [.c-text-bg-pink]mobile number[.c-text-bg-pink], [.c-text-bg-pink]policy details including nominee details[.c-text-bg-pink], [.c-text-bg-pink]copies of customer's bank account statements[.c-text-bg-pink], [.c-text-bg-pink]copies of income tax returns documents[.c-text-bg-pink], [.c-text-bg-pink]copies of Passports[.c-text-bg-pink], [.c-text-bg-pink]copies of Aadhaar cards[.c-text-bg-pink], [.c-text-bg-pink]copies of PAN cards[.c-text-bg-pink], and so on. Policybazaar have put millions of its customer data and India's national security at absolute risk and exposed all of it due to [.c-text-bg-red]Policybazaar’s potential intentional backdoor vulnerabilities.[.c-text-bg-red][.c-box-script-2][.c-script_bottom-star][.c-script_bottom-star][.c-script_top-star][.c-script_top-star][.c-script-wrapper-2]

All of these discovered vulnerabilities were possible to be used for large scale automated exfiltration of sensitive and confidential user data without any restrictions by Policybazaar’s systems.

We responsibly and in good faith reported the findings to Policybazaar within few hours of vulnerabilities being discovered and confirmed by our team. Our team worked tirelessly on weekend and continued their work through late at night till early morning of 18th July 2022, in order to get the detailed report delivered to Policybazaar so that they can fix these critical vulnerabilities without any delay and secure the sensitive data affecting national security and millions of Indian.

The discovered vulnerabilities were extremely easy to discover and exploit by anyone with good computer knowledge. The vulnerabilities discovered were improper authorization and IDOR vulnerabilities, leading to exposing the massive amount of sensitive data to the whole internet. There was no need to break any type of authentication as part of the vulnerabilities discovered in order to expose such data but rather just sequentially going up and down in a range of numbers as input to get data of millions of customers through API requests. There is high potential that these vulnerabilities were backdoor vulnerabilities possibly left intentionally by Policybazaar.

Our team tested Policybazaar's security posture since some of our team members are also Policybazaar's customers.

Our team along with external experts on national security and cyber security analysed this that how could a company handling extremely sensitive data of millions of people including of Indian defense personnels, could be having such extremely easy to find and critical vulnerabilities just sitting their in plain sight. There have been instances worldwide of Chinese backed or Chinese companies having some intentional backdoor vulnerabilities in their services through which they can give access to their partner criminals in China or many times to the Chinese government.

At end of our analysis, we came to conclusion that there is high potential that Policybazaar could be having these vulnerabilities as intentional backdoor vulnerabilities in order to potentially allow access to Chinese government to sensitive data of Indian nationals and particularly defense personnels. There is high potential of that due to (1) Policybazaar being funded by a Chinese company, Tencent (2) Policybazaar was very very hesitant to fix the vulnerabilities and took more than seven days — when CERT-In confirmed to us — to patch even after we kept pushing them to fix urgently. The vulnerabilities could've been fixed in less than one hours (3) more on this in Section 3. below.

We provided Policybazaar's management team with a very detailed 21 pages report on early morning of 18th July 2022. The report contained all technical details along with impact of the vulnerabilities and how they could immediately fix the vulnerabilities. But still, with so much information, Policybazaar was unable to confirm to us even for almost seven days if they've fixed the vulnerabilities fully or not despite giving them constant reminders to fix at the earliest in the interest of safety of millions of customers and Indian national security. Later on, when we contacted and shared our detailed report with CERT-In on 24th July, CERT-In confirmed to us on 25th July that Policybazaar have now admitted and fixed the reported vulnerabilities and asked us to retest if the vulnerabilities were fixed.

Moreover, later on 24th July, Policybazaar informed BSE and NSE stock exchanges about a data breach happening on 19th July 2022. That is a day after we responsibly reported these critical vulnerabilities to Policybazaar on 18th July 2022 and we kept requesting them to immediately fix the vulnerabilities to protect public's data but their responses were insincere, sluggish, and unprofessional. If those were the same vulnerabilities exploited by the said malicious hacker(s) in this breach reported to have happened on 19th July, then that clearly means that due to Policybazaar's inaction on our timely responsible disclosure, they evidently leaked users data due to their gross negligence or through these potentially intentional backdoors left open by them.

[.c-text-800-2]National security agencies taking action against Policybazaar for this[.c-text-800-2]

Considering the severity of this and the high potential chances of this being intentional backdoor by Policybazaar, an Indian insurance aggregator funded by a Chinese company, we decided to inform about this to Lt. Gen. (Retd.) Dr. Rajesh Pant, National Cyber Security Coordinator (NCSC), Prime Minister Office of India. Rajesh Pant promptly reverted back to us after going through the information we shared, they thanked us for the information and informed us that they shall initiate action against Policybazaar.

What data was exposed❓🌊

The information that was being exposed by Policybazaar of millions of people (including Indian defense personnels) includes the following but not limited to,

[.c-text-star][.c-text-star]- customers photo,
[.c-text-star][.c-text-star]- customers full name,

[.c-text-star][.c-text-star]- customers date of birth,
[.c-text-star][.c-text-star]- customers complete residential address,
[.c-text-star][.c-text-star]- customers email address,
[.c-text-star][.c-text-star]- customers mobile number,
[.c-text-star][.c-text-star]- customers credit report,
[.c-text-star][.c-text-star]- customers PAN number,
[.c-text-star][.c-text-star]- customers policy details including nominee details,
[.c-text-star][.c-text-star]- customers family members policies details,
[.c-text-star][.c-text-star]- copies of customers bank account statements,
[.c-text-star][.c-text-star]- copies of customers income tax returns,
[.c-text-star][.c-text-star]- copies of customers Passport,
[.c-text-star][.c-text-star]- copies of customers immigration visa,
[.c-text-star][.c-text-star]- copies of customers records of country entry and exit,
[.c-text-star][.c-text-star]- copies of customers Aadhaar card (both sides),
[.c-text-star][.c-text-star]- copies of customers PAN card,
[.c-text-star][.c-text-star]- copies of customers driving license,
[.c-text-star][.c-text-star]- copies of customers health records,
[.c-text-star][.c-text-star]- copies of customers payslips,
[.c-text-star][.c-text-star]- sensitive details of defense personal who are Policybazaar customers,
[.c-text-star][.c-text-star]- copies of customers past policy documents,
[.c-text-star][.c-text-star]- copies of customers birth certificate,
[.c-text-star][.c-text-star]- copies of customers vehicle registration certificate, and so on.

Specifically for Indian defense personnels, the above mentioned data was being exposed but along with that data of a "Defense questioner" that Policybazaar takes from people working in Indian defense forces. These vulnerabilities also exposed questionnaire replies by defense personnels of all defense personnels who bought policy from Policybazaar. The data includes data like but not limited to — this is an additional information with the above mentioned data:

[.c-text-star][.c-text-star]- Details of which specific branch of Indian defense forces someone is in like Indian Army, Navy, Air force, and even specifics if someone is in one of the Indian special forces like SPG, Black Cat commando, CoBRA, Anti Terrorist Squad.
[.c-text-star][.c-text-star]- Current rank and designation in that defense force
[.c-text-star][.c-text-star]- Current location of posting (which is very confidential many times)
[.c-text-star][.c-text-star]- Details if someone is engaged in any hazardous activities, e.g. aviation, diving, parachuting, bomb disposal or special service groups, and length of service in those roles.
[.c-text-star][.c-text-star]- Specific nature of role
[.c-text-star][.c-text-star]- Details if someone in Indian defense is currently serving in or is under orders to proceed to any troubled area, or around border areas of India
[.c-text-star][.c-text-star]- Details if someone handles weapons or explosives. If yes, details of such weapons and explosives.

Such data is very confidential and sensitive to the Indian national security, specially when combined with defense personnels personal data which was also being exposed by Policybazaar, an Indian insurance aggregator funded by a Chinese company. This is a goldmine for any adversary nation of India.

How did Policybazaar potentially compromise national security of India❓🪖🥷

There is high potential that Policybazaar, an Indian insurance aggregator funded by a Chinese company, having these critical vulnerabilities exposing sensitive and confidential customer data of millions of Indian people including Indian defense personnels, is nothing but potentially, an intentional backdoor access that Policybazaar left open for someone to steal the data. The data that was being exposed, would be a goldmine for any adversary of India, and would very much help them archive their malicious objectives against India. This also leads to putting national defense under severe threat.

Why do we think Policybazaar would've potentially done this?

[.c-h1] 1. [.c-h1] Policybazaar is funded by a major Chinese company, Tencent. And such sensitive and confidential data for Chinese government of Indian defense forces is a goldmine in order to harm India.

[.c-h1] 2. [.c-h1] The vulnerabilities were very easy to find and exploit, just hiding in plain sight, hence showcasing a perfect trait of a intentional backdoor access.

[.c-h1] 3. [.c-h1] Policybazaar didn't confirm that they've fixed the vulnerability or not for so long, even after our repeated requests. Nor Policybazaar shared a timeline to fix the vulnerabilities which we kept asking them for. It shows their hesitation and deliberate delay to fix the vulnerabilities. Maybe because these were potential backdoors?!

[.c-h1] 4. [.c-h1] Policybazaar's whole communication with us during this responsible disclosure was sluggish, unprofessional, and full of sheer negligence in handling such critical issues.

[.c-h1] 5. [.c-h1] Multiple internal and external analysts have checked our findings of Policybazaar and all have analysis of being there high potential that these are potentially backdoors left open intentionally.

[.c-h1] 6. [.c-h1] Even in the past many Chinese companies globally have left such backdoors intentionally to leak sensitive data. Including Indian government banning multiple Chinese funded apps.

How does it affect the national security of India?

An adversary of India, whether a terrorist organizations or country like China, having access to such data of Indian defense personnels could utilize in their evil plans to harm Indian national security in multiple ways, like:

[.c-h1] 1. [.c-h1] The adversary could target specific defense personnels serving at sensitive positions like border areas, areas of conflict, special forces, and VVIP security like of Prime Minister of India and ministers. The adversary could even further target a defense personnel using this exposed data by what weapons or explosives they handle, how long they've been in that position, etc. And then the adversary could harm the chosen defense personnel's family or nominee in the policy since that is usually the most important person of someone. With a view to blackmail the personnel relatives and family can be easy target for kidnapping and extort the specific defense personal to do something for them. Even for targeting the defense personal and their family and nominee, the other personal data of defense personal exposed will greatly help the adversary in archiving their malicious goals.

[.c-h1] 2. [.c-h1] This exposed data also provides an adversary with sensitive information of what types of weapons and explosives are used in which border and strategic area of India.

[.c-h1] 3. [.c-h1] Families of defense personnels at sensitive postings will be exposed to an increased threat due to this exposed data.

[.c-h1] 4. [.c-h1] This data could also get the Chinese forces to plant malware in defense personnels and their families mobile and computer devices since it gives them access to their mobile numbers and email addresses too, among tons of other sensitive data.

[.c-h1] 5. [.c-h1] This data also gives health data of defense personnels, which could further be utilized to target and harm the defense personnels and India's national security.

One detailed example of this could be, an Indian Army personnels posted in Ladakh region at border with China. And that person also bought a policy from Policybazaar and filled in the "Defense questioner" that Policybazaar takes from people working in Indian defense forces. Means, this person's data was also being exposed through these vulnerabilities, and consider that Chinese forces have stolen the data using these potentially intentional backdoor vulnerabilities. Now, Chinese forces know that this person is posted at XYZ place, have such and such weapons and have been there for X amount of time. The Chinese forces can then target this Indian Army personnel by threatening to harm the defense personnels family and in return of not doing so forcing the defense personnel to provide them with more sensitive border information of Indian Army, or maybe holding his family hostage and forcing the defense personal to attack Indian Army personnels.

What potential impact does it have on the security and privacy of people affected? 🤕

The impact of these vulnerabilities was extremely critical and huge since due to them, Policybazaar, exposed very sensitive personnels information and exposes copies of sensitive and confidential personal identification, health and financial documents of millions of Policybazaar’s customers including Indian defense personnels.

These vulnerabilities could've or might've easily be used by malicious attackers to steal millions of customers and Indian defense personnels exposed sensitive data and maliciously use it, resulting in things like identity theft, extortion, threats, national security threats, along with being able to get data of millions of customers. There are immeasurable number of ways in which the level of data being exposed by Policybazaar can be used by malicious attackers to permanently harm the lives of millions of Policybazaar customers and Indian national security.

The exposed extremely sensitive personal, health and financial documents which is usually goldmine of information needed for many malicious attacks against millions of Indians. Though there is an indefinite number of possible malicious use cases for such highly sensitive data of millions of people, below are few to give people an idea.

[.c-h1]⠀1.⠀[.c-h1] Malicious people could use such data for identity theft of Policybazaar customers. As part of identity theft they can potentially, open bank accounts for fraud purposes, take loans, and similar using this exposed data in the names of Policybazaar's customers.

[.c-h1]⠀2.⠀[.c-h1] The information exposed by Policybazaar could be a virtual gold mine also for phishers and scammers involved:

“Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other forms of communication.” — SearchSecurity

[.c-h1]2.1.[.c-h1] in so-called Business Email Compromise (BEC) scams, which often impersonate brokers, banks, and businesses in a bid to trick individuals and companies into transferring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

[.c-h1]2.2.[.c-h1] in scams, extortion calls to filtered individuals based on their financials from this exposed data.

[.c-h2]2.3.[.c-h2] in scam calls pretending to be from the victim's bank or Income Tax Department or some other institution and getting the victims to trust by telling them their sensitive personal and financial details being exposed from this vulnerability.

[.c-h2]2.4.[.c-h2] in income tax refund scams.

Armed with such access to Policybazaar's exposed data, phishers and scammers would have an endless supply of compelling scamming templates for calls and emails to use.

[.c-h1]3.[.c-h1] Such sensitive and confidential data expose pose a massive impact to security and privacy of millions of people and will expose people to different types of threats, some of people affected can be secret government employees, defense personal or high-net worth individuals or anyone under threat of some sort. This would permanently damage millions of Policybazaar users privacy and security.

[.c-h1]4.[.c-h1] People commonly use the type of information been exposed here as their passwords and security questions to services. That’s why it can also lead to people’s social media, emails, and other accounts being hacked by malicious attackers using their information from this expose.

[.c-h1]5.[.c-h1] Such sensitive personal and financial data expose of massive numbers of people easily leads to things like financial fraud, identity theft, and exposing people to things like extortion, targeted attacks against people, etc. The type of data being exposed is also used for secret questions for multiple services like net banking and verification for different things.

For years, governments have been imposing hefty fines on companies for exposing and leaking customer data worldwide. Under the GDPR law of the European Union, even when a company clearly didn’t take reasonable security steps to secure sensitive data, the companies got hefty fines.

Some prominent past incidents of such fines:

[.c-row-flex][.c-box-pink]“In July 2019, Equifax settled a lawsuit stemming from its 2017 data breach, which exposed the personal information of 147 million people. Under the settlement with the FTC, CFPB and state attorneys general, Equifax has agreed to spend up to $425 million to help people affected by the data breach.” — Source[.c-box-pink][.c-text-column][.c-text-column][.c-row-flex]

Under GDPR law, famously British Airways and Marriott have all received fines over €10,000,000 for GDPR violations where they exposed customer data and were fined for insufficient technical and organisational measures to ensure information security (similar to Policybazaar but Policybazaar's case is much more severe considering the strong potential intentional backdoor side of it). You can see other fines made under GDPR privacy law for cyber security negligence here.

Why did this data expose happen? 🔭

There are strong indications we found in our detailed analysis that these easy to discover and exploit vulnerabilities in Policybazaar, an Indian insurance aggregator funded by a Chinese company, were potentially intentional backdoors to leak the sensitive and confidential data of millions of Indian people and people related to India's national defense. These could've potentially meant for Chinese forces to get a constant supply of the sensitive and confidential data of Indian defense personnels and other millions of Indian people — in order to harm them.

Policybazaar also claims to be ISO/IEC 27001:2013 certified company. Policybazaar have in fact even violated ISO/IEC 27001:2013 due to these multiple easily discoverable and exploitable vulnerabilities and also them being unpatched for so long. ISO/IEC 27001:2013 requires a certified organization for "timely identification of vulnerabilities" and remediation of the vulnerability. Policybazaar failed to identify these easy to find and exploit vulnerabilities for so long. Policybazaar is clearly in breach of the ISO/IEC 27001:2013.

Policybazaar's false promises of security

Policybazaar's claim:

[.c-box-wrapper][.c-box]"Policybazaar.com complies with the highest standards regarding information security" - claims on their website[.c-box][.c-box-wrapper]

The fact that we discovered total of five critical security vulnerabilities in Policybazaar proves the horrible security and non-ethical practices of Policybazaar. That’s why, from our vast experience in the security field, our researchers strongly suspect there might be more such critical security issues (or potential intentional backdoors) in Policybazaar.

How did we got them to fix the vulnerabilities? 🛑

We responsibly and in good faith reported the findings to Policybazaar within few hours of vulnerabilities being discovered and confirmed by our team. Our team worked tirelessly on weekend and continued their work through late at night till early morning of 18th July 2022, in order to get the detailed report delivered to Policybazaar so they can fix these critical vulnerabilities without any delay and secure the sensitive data affecting national security and millions of Indian. We emailed our detailed report in morning on, 18th July 2022, to Policybazaar's executive team including Policybazaar's CEO. The report was of almost 21 pages and contained all details ranging from technical details of all vulnerabilities to their impact.

Delay to fix the vulnerabilities

What could’ve taken a maximum of one hour, took more than 7 days for Policybazaar to secure their systems to stop the exposure of sensitive and confidential data of millions of people including Indian defense personnels.

Along with our report to Policybazaar, we also requested to let us know a timeline of till when Policybazaar plans to fix the vulnerabilities. But we never received such timeline from them even after multiple requests to them and all of the authorized Policybazaar executives who talked to us, were clueless about till when they will be fixing the vulnerabilities. This was extremely surprising to us, considering when a company is exposing sensitive and confidential data of millions of its customers and also affecting national security of India. Policybazaar's horrible "no action" strategy for security of customer data and protecting the confidential data speaks a lot about their ethics and security posture.

Despite several reminders Policybazaar didn't inform us when they would fix these critical vulnerabilities exposing data of millions of people but rather just dragging it on left us with no option except to contact CERT-In and NCIIPC on 24th July 2022. We shared the same detailed report that we shared with Policybazaar detailing all the vulnerabilities with CERT-In and NCIIPC.

Considering the severity of this and the high potential chances of this being intentional backdoor by Policybazaar, an Indian insurance aggregator funded by a Chinese company, we decided to inform about this to Lt. Gen. (Retd.) Dr. Rajesh Pant, National Cyber Security Coordinator (NCSC), Prime Minister Office, promptly reverted back to us after going through the information we shared, they thanked us for the information and informed us that they shall initiate action against Policybazaar.

Our timeline of communication with both CERT-In and NCIIPC is given below:

1. CERT-In

24th July 2022: Reported to CERT-In in order to escalate this after no confirmation from Policybazaar even after almost 7 days for fixing the vulnerabilities.

25th July 2022: They replied later with:

“Dear Sir/Madam, The concerned organization has confirmed to us, that reported
vulnerabilities
are fixed now.  You may also verify at your end and confirm to us.
----
Thanks and Regards,
CERT-In”


2. NCIIPC

24th July 2022: Reported to NCIIPC in order to escalate this after no confirmation from Policybazaar even after almost 7 days for fixing the vulnerabilities.

25th July 2022: They replied later by acknowledging the issues reported by us and thanked for our continued contribution.

What does the government now do?

There is an urgent and important need for an independent, fair, and full security audit to be ordered by the Government of India of Policybazaar, an Indian insurance aggregator funded by a Chinese company.

Policybazaar have severely and permanently damaged the privacy and security of millions of its customers and also potentially compromised national security of India.

How can Policybazaar guarantee to it's customers and insurance providers that no data was stolen by malicious hackers even before our research team discovered and responsibly alerted about these vulnerabilities to Policybazaar? Any such confirmation requires a thorough forensic analysis of all Policybazaar systems by a neutral third-party agency, and share the detailed report about it publicly. Our research analysis indicates towards high chances of some malicious hackers stealing all the customer data of Policybazaar or this being potentially intentional backdoor vulnerabilities. These vulnerabilities and similar other must've existed for years in Policybazaar systems, how can Policybazaar certify to it's customers and no data was ever stolen or being or will be used for malicious use by malicious hackers? What are the steps Policybazaar is taking to compensate and notify it's customers for this?

Policybazaar's operations need to be immediately stopped to protect further from harm to national security and privacy of Indians, until a through investigation by a government and defense agency is done.

What companies can do to avoid such issues?🛑

We strongly recommend companies not to take cyber security as an optional thing but as one of the most important things to do. All companies should get regular security testing of their applications done by experienced and skilled cyber security service providers to avoid such security vulnerabilities. Especially organizations, which handles massive amounts of sensitive and confidential data of millions of people including defense personnels, should have continuous security testing of their applications done by skilled cyber security service providers.


Subscribe to our newsletter to get our upcoming findings in your inbox!

[.c-button-modal]Subscribe now![.c-button-modal]


Press: for any questions relating to this finding, feel free to contact us at press@cyberx9.com

Subscribe to our newsletter to get our latest finding in your inbox!

We won't spam you but only send content you'll like and you can unsubscribe anytime.