Even in the world of mobile apps, a well-known insurance provider can harbor unexpected vulnerabilities. This is the story of an incursion into the Allianz mobile app, carried out using standard auditing tools (Burp Suite/ZAP) and a security researcher’s mindset. All vulnerabilities mentioned here have since been patched, and a bounty was awarded for the discoveries.

The Trigger: Late-Night Exploration and Determination

In 2022, a spur-of-the-moment decision to test the Allianz mobile app led me down a rabbit hole of unexpected vulnerabilities. My main objective: determine whether I could access other customers’ sensitive information.

Armed with a freshly reset iPhone (certificates cleared, proxy configured), I delved into the app’s network traffic. At first glance, the interface appeared minimalistic—sometimes, fewer features mean fewer entry points for attackers. But my focus was on identifying major flaws that were quick to uncover and critical to fix.

The First Find: A Classic IDOR

My initial entry point was the following URL:

/individual/refunds/details

• Vulnerable Parameter: contractId
• Type of Flaw: Insecure Direct Object Reference (IDOR)

Hint: By altering contractId values, an attacker could load refund details for other insurance contracts, threatening the confidentiality of Allianz customers.

No robust access controls or authentication checks were in place, making it trivially easy to change contractId and obtain sensitive information about others’ contracts.

Dynamic Analysis: Iteration, Parameters, and Documents

1. Contract Enumeration: /v1/getdocumentsconsultables

While intercepting numerous POST requests, I discovered:

/v1/getdocumentsconsultables

• Primary Purpose: List documents available to the logged-in user.
• Technical Detail: Session tokens in the header were not adequately enforced for access validation.

Hint: A numeroContrat parameter in the request body could be iterated over (using non-random contract IDs), revealing documents like DCPASS, ATTMADELIN, AEPA, and more.

2. Exposing numeroINSEE

Some sensitive documents—like third-party payment statements (TP)—required a numeroINSEE parameter for display. The catch: numeroINSEE could be obtained from a separate endpoint with a similar IDOR flaw, thus opening the door to even more personal data.

Document Retrieval: Executing the Digital Heist

Once you know which documents exist, the next step is to download them. This was done via the endpoint:

/v1/getdocumentcontentged

• Crucial Parameter: identifiantGED (the document ID to download)
• Payload: A POST request containing parameters such as identifiantGED, which you could replace with the targeted document ID.

Hint: The documents were Base64-encoded, simplifying their extraction and decoding.

Wide-Open Exfiltration

Chaining these three IDOR vulnerabilities together allowed an attacker to:

1. Change contractId to gain partial access to someone’s refund details.
2. Iterate over numeroContrat to list every document available for different contracts.
3. Retrieve numeroINSEE (via another IDOR) to unlock the most sensitive documents (e.g., third-party payment statements).

Armed with these steps, one could download virtually any document belonging to Allianz customers. The CVSS rating for this exploit chain was 8.6 (High), reflecting its severity.

Aftermath and Fixes

Following responsible disclosure of these IDOR flaws to Allianz, the app underwent significant changes:

• Enhanced Access Control: Sensitive endpoints now require strict authentication checks.
• Feature Removal: It’s no longer possible to download certain documents through the original methods.

Allianz acknowledged the severity of these vulnerabilities and awarded a bug bounty for the findings.

Conclusion: When Simplicity Masks a Heist

This experience underscores the need for thoroughly auditing entry points in mobile applications, even if they seem basic. IDOR vulnerabilities, which remain widespread, can lead to massive data exfiltration if not properly managed.

All the vulnerabilities described have since been corrected, and I received compensation for these discoveries. It’s yet another reminder that app security demands ongoing vigilance—and that bug bounty programs are a valuable tool for enhancing the robustness of digital platforms.