Established in 2000, Birla Sun Life Insurance Company Limited (BSLI) is a joint venture between the Aditya Birla Group, a well known and trusted name globally amongst Indian conglomerates and Sun Life Financial Inc, leading international financial services organization from Canada.
Known for its innovation and creating industry benchmarks, BSLI has several firsts to its credit. It was the first Indian Insurance Company to introduce “Free Look Period” and the same was made mandatory by IRDA for all other life insurance companies. Additionally, BSLI pioneered the launch of Unit Linked Life Insurance plans amongst the private players in India.
A critical SQL Injection vulnerability has been discovered in Birlasunlife web portal. It’s more than 3 months since we notified the company about this vulnerability but no action has yet been taken to fix this critical issue. Using this vulnerability, any malicious attacker can gain full access to various databases (as shown in the below screenshots) which can subsequently be used to dump various data. Vulnerable URL:
Proof Of Concept
- 11-Aug-2011: Vulnerability discovered & reported to the company along with POC.
- 17-Sep-2011: Reminder sent to the company.
- 03-Dec-2011: Public disclosure since company fails to take any issue.
No data has been dumped; database has been accessed just to take screenshots so that we can make company believe that the aforesaid flaw actually because most of the companies use to treat the like advisories/disclosure as junk and don’t believe the researcher’s which may later cause them huge.
We respect the confidentiality of the company that’s why we have restricted the contents of our screen-shots to various non-informative info only. We hope that after this public disclosure, company will take some immediate steps to fix-up this critical vulnerability asap.