Infiltrating the Fortress: Allianz Mobile App Under Siege: A Cyber Heist Chronicle and the App’s Silent Countermeasures

In the year 2022, during a night of curiosity and digital exploration, I decided to download my insurance provider’s mobile app - Allianz. Little did I know, this journey would lead me into the labyrinthine depths of the app’s inner workings. My objective? To uncover any potential access to other policyholders’ information or even more sensitive documents.

It’s essential to emphasize that the vulnerabilities discussed here have been duly patched, and I received a bounty for my discoveries.

Preparing for the Expedition

As any seasoned cyber vulnerability hunter would attest, a well-equipped arsenal is essential. For such endeavors, nothing beats the trusty old tools like Burp Suite or, for the faithful, ZAP.

After resetting certificates and configuring my Apple device meticulously, I was ready to delve into the intricate network communications of this mobile application.

At first glance, it appeared rather simple, with minimal user interactions. In such cases, simplicity can be a nuisance. I wasn’t interested in prolonged exploration; I sought immediate, impactful vulnerabilities.

Uncovering the First Gem - IDOR Strikes

My initial breakthrough came in the form of an insecure direct object reference (IDOR) vulnerability. I stumbled upon an URL - /individual/refunds/details - housing a vulnerable GET parameter named contractId. This URL was designed to display refund details for a given contractId.

This discovery was already significant, as it posed a substantial threat to user confidentiality. However, my ultimate goal was to access documents like third-party payment records for a specific user or contract.

On-the-Fly Analysis

After recording most of the possible POST requests, I decided to analyze all the payloads. It wasn’t long before I uncovered an ID (yes, not a UUID) that seemed to be iterated.

The endpoint /v1/getdocumentsconsultables was used to list the documents that were currently consultable for the logged-in user (that was the initial intent, at least). However, it turned out that session tokens in the headers weren’t prioritized in these endpoints. As a result, the numeroContrat parameter in the payloads allowed us to iterate through available contracts and list their documents.

Soon enough, documents such as DCPASS, ATTMADELIN, and AEPA began to appear, each with its own ID. However, there was still no sign of the coveted third-party payment (TP) documents.

Further investigation revealed that to view TP documents in the list, we needed another parameter - numeroINSEE, corresponding to the contract. Fortunately for us, this number was obtainable through another endpoint vulnerable to IDOR.

Document Retrieval - A Digital Heist

The document download function was invoked through the endpoint /v1/getdocumentcontentged, supported by various POST arguments. The one related to the document’s ID was identifiantGED. By modifying this argument with the ID of a previously listed document, we could download the desired document in base64 format.

The Grand Coup and the Shutdown

Through the clever combination of these three IDOR vulnerabilities, we could iterate through all available contracts and download all associated documents. The severity of these vulnerabilities earned a CVSS score of 8.6, firmly in the “High” range.

As an interesting twist in the tale, it’s worth noting that since the discovery and responsible disclosure of these vulnerabilities, the Allianz mobile application no longer allows users to download documents through these methods.

This digital escapade was not without its rewards, as a bounty was indeed paid for these discoveries. A+, fellow hackers, and may your exploits continue to uncover the secrets lurking within digital fortresses.