Hertz Leaks 60,000 Insurance Claim Reports on Their Claims Website

Legitimate emails with bad practices and an insecure website add insult to injury.

You check your phone as you take the first sip of coffee in the morning, expecting an empty inbox (ha!) since you’ve just been on vacation.

But, no. You find a lone email from the car rental company Hertz.

From: Sanghi, Benjiit <benjiit.sanghi@hertz.com>

Subject: Vehicle Damage Rental Record #5899372

He hopes the email finds you well. It did - up until you read the damage subject line.

Strange, you didn’t get into an accident during your vacation, and the agent checking in the vehicle didn’t reference an accident or note any damage. You rented from Hertz since you enjoy paying more for a reputable name-brand company to take care of your transportation needs.

This must be a scam. But you did just rent from Hertz - did they find some damage after the fact?

You look more closely at the email again, coffee forgotten.

The email is well written (acceptable, anyways).

The signature looks legitimate.

The From domain is legitimate: hertz.com.

You check the email records, but things look like they’re configured correctly. DMARC is set to quarantine (send to junk), and SPF says only Proofpoint can send emails.

Well, let’s view the QR code—where does it go? We’ll set aside the fact that viewing a QR code on your phone screen is the least convenient thing ever.

After jumping through saving and image searching, you see that it goes to… a bit.ly link? http://bit.ly/3H6KNYw?r=qr

This is precisely the URL shortener used when hackers want to hide the fact that their phishing link is going to trust-me-this-is-not-a-hacking-site-stealing-your-password.com.

Let’s add a + to the end of that so we can see where it goes: http://bit.ly/3H6KNYw+

htzra.com? Definitely scammy - phishing sites always use misspellings of words and brands, hoping you don’t notice anything is awry.

Let’s look up who registered that domain.

Hmm, private registration with GoDaddy. Not typical of a major corporation. It doesn’t look anything like the legitimate hertz.com which is owned by The Hertz Corporation.

Your interest is piqued, and you follow that link to https://eclaim.htzra.com/.

It doesn’t look too broken; it has recognizable logos, and you see a form asking for more information!

Forms are a great way to steal information. You almost expect it to ask for your credit card details next just for “verification” purposes.

You pause for a second, curious what the main htzra.com site is hosting (without the “eclaim” subdomain).

It has an insecure certificate and isn’t set up correctly to show what the site is about, giving a stock web server error message.

You scoff, thinking this is almost certainly a novice hacker trying to harvest information.

You decide to submit a claim and see what happens.

After submitting fake information (and surprisingly, there’s no request for your credit card details), you see your “accident report” summary at /accident-report/12345.

Accident Report 12345 - what are the chances?! Who was the unlucky submitter who got accident report 12344? You quickly change the number in the URL and hit enter.

Whoops. It loads the record immediately. Adam [Redacted] got 12344. Steven [Redacted] submitted 12343. Neil [Redacted] submitted 12342. You can see all the reports by just entering the report number!

And to add insult to their injuries, the report shows the injured’s address, phone number, and age.

It looks like Hertz, or the company they hired to build htzra.com, doesn’t have great application security practices. This is a classic access control vulnerability known as Indirect Object Reference.

At the time of this writing, there were around 62,000 accident reports with names and descriptions. Fortunately, only a small percentage have more detailed information of injured renters.

You call Benjiit and tell him there’s been a mistake, toss out your cold coffee, and make a new cup.

Next family vacation, you’re renting from Sixt - at least they have a bug bounty program, and your information is less likely to be readily accessible to anyone in the world if you get into an accident.

Adversis reported this issue to Hertz and they shut down the domain and access to the information in a few days.

Timeline

September 13, 2024 - CERT responded, stating the domain is no longer accessible

September 5, 2024 - Identified and reported to cybersecurity email address

Have a project in mind? Let’s talk

Get in touch

Read more

How to Ask Your Vendors to Verify Their Security Practices

Your vendors' security practices directly impact your own. Ensuring that your partners have robust data security controls in place is not just about peace of mind—it's a regulatory requirement for many industries, especially when dealing with sensitive information.

A Physical Site Security Audit Checklist You Can Actually Use

This audit checklist is designed to guide you through a thorough review of your site’s security based on leading standards from organizations like ASIS International, ISO, NFPA, and BOMA. Let’s break it down into actionable steps, making sure you can spot weak spots and implement fixes without drowning in paperwork.

Pragmatic Steps to Get CMMC Level 1 Compliant

Get started securing your business as a federal subcontractor with meme driven guidance.
Cybersecurity Risk Advisory and Professional Services (i.e. hackers)
Montana Office
563 Ash Rd, Suite B
Kalispell, MT 59901
Pages
HomeAboutBlogServicesContactPrivacy Policy
Resources
CyberPricesSaas HardeningBad PasswordsPrinciplesStartup Security Workbook
Stay in the know
Practical content, no fluff.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.