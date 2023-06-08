Santam has fixed a pair of security vulnerabilities in its travel insurance website, which could potentially have exposed an extensive amount of personal information.

Santam’s Travel Insurance Consultants (TIC) is the country’s biggest travel insurer and is used by several other third parties — including banks that provide free travel insurance to their customers.

A concerned MyBroadband reader recently informed us that tic.co.za had two deficiencies that attackers could exploit to gain unauthorised access to other peoples’ details.

That could include names, surnames, ID and passport numbers, phone numbers, addresses, citizenship status, travel dates and destinations, the purposes of travel, and costs of their insurance policies.

The first flaw was that the numerical IDs used for the quote system were shown in plain text in the URL.

Incrementing or decrementing your quote’s ID would take you to the quotes of other users.

In some instances, these users had not reached a point in the quote process where they had entered their personal details.

However, we saw many records where quotes had been completed and personal details were accessible.

These could be seen directly on the website dashboard or extracted from the downloadable visa letter or insurance policy documents.

In addition, a person with unauthorised access would also be able to edit some users’ trip information, provided they had not yet completed payment.

The screenshots below show examples of the information of other users that could be accessed by an unauthorised party aware of the flaw.

The second vulnerability was in the search function on the traveller information page, which could only be accessed by those who had finished the quote process.

The MyBroadband reader found that it was possible to enter a known ID number in this tool, and presuming the person with that ID number had used TIC’s services, their personal and travel details could be viewed.

MyBroadband informed Santam about the issues at around 13:30 on Tuesday, 6 June 2023, and it promptly responded that it would get back to us.

When we accessed the website early the following day, we received an error message telling us to contact TIC on a phone number.

While the URL still contained a numerical ID in plain text, changing this would result in the same error being shown on different quotes.

Santam confirms fixes were rolled out

Less than 24 hours after our initial query, Santam provided a full response confirming it had fixed both vulnerabilities.

“Our team has actively worked to address the issues that have been identified, and the necessary changes to our system have already been implemented to ensure the protection of our customers’ information,” Santam said.

Santam said, to the best of its knowledge, no personal information from its network had been exfiltrated due to the vulnerabilities.

However, it recognised the potential for exploitation, which could have resulted in unauthorised access to sensitive information.

“We will continue to review the access to the system, and where there are any information security risks identified, Santam will implement the necessary remedial action to mitigate the risk,” the insurer said.

The insurer said it was unaware of the issues raised until we sent our query.

“As Santam, we take information security seriously, and in line with all applicable legislation, we aim to ensure that we protect the details of policyholders,” it stated.

It should be noted that the reader who told MyBroadband about the issue also tried to contact the company to report the problem, but it had not immediately acknowledged his complaint.