Popular US car rental company Hertz didn’t spot this access control vulnerability


What looked like a phishing email was just bad cybersecurity practices from a popular US car rental company.

One morning, a member of Adversis, a cybersecurity consultancy and assessment firm, received an email from Hertz, a popular American car rental company based in Florida.

The email read:

ADVERTISEMENT

“Hello,

I hope this email finds you well. Upon the return of your vehicle, damage was notated, but we did not receive a complete vehicle incident report. It is part of our procedure for us to have you physically sign and incident report and return it to us as soon as possible. I have attached a QR code for you to use in order for us to process your information instantly. Please complete it to the best of your ability and email me back to confirm completion.

If you have any questions or concerns, please do not hesitate to contact me. Sorry if this causes any inconvenience, thank you in advance for your quick response.”

Despite the email being decently written and coming from a legitimate domain, something just didn’t seem right.

Being in the cybersecurity industry and having experience with phishing scams, the recipient began investigating.

Although the renter didn’t get into an accident during their trip, and they did hire a car from Hertz, maybe some damage was found. But still, something just didn’t seem right.

The email records looked fine. The Domain-based Message Authentication, Reporting and Conformance (DMRC), an authentication protocol that prevents legitimate domains from being spoofed, was set as sent to junk, and the Sender Policy Framework (SPF), an email authentication method that helps identify and verify the origins of an email, said that only Proofpoint could send these emails.

Everything seemed normal. But they didn’t know there was a vulnerability that would allow anyone to see accident reports, including customers' sensitive information.

ADVERTISEMENT

As stated previously in the email, there was a QR code that claimed to take customers’ to a site where they could fill out the accident form. But this is where things got fishy.

The QR led to a ‘bit.ly’ link, a URL shortener that most hackers use to conceal the link's destination. To explore the rabbit hole further, the Adversis member added a simple ‘+’ to the URL to see where it went, leading them to eclaim.htzra.com.

This was a big red flag, as scam or phishing websites often misspell the names of reputable brands. However, more investigation is needed to determine whether this was a scam.

They found that the domain was privately registered with GoDaddy, an American internet domain registry, and not Hertz.

Following the link didn’t raise any red flags. It wasn’t broken and displayed legitimate logos of companies, including Hertz, until the Adversis member typed in htzra.com and found that it led to an insecure website that displayed a generic “Forbidden” web-server error message.

Nonetheless, the recipient filed a report using fake information and received an accident report number – 12345.

But who got the accident report number 12344? Well, when typing accident report number 12344 into the URL in place of their report number, the vulnerability revealed itself.

The record loaded up immediately, and information about the person who filed the report was out there for anyone to see. You could see any report by just entering the right report number.

Those who filed the reports included their full names, addresses, ages, and phone numbers, which anyone who knew how to find them could access.

“It looks like the company Hertz hired to build htzra.com doesn’t have great application security practices. This classic access control vulnerability is called Insecure Direct Object Reference,” Adversis said.

ADVERTISEMENT

Adversis reported the issue to Hertz, who quickly closed the application along with access to the information in the accident reports.