Hertz promptly fixed this issue after this was reported.
You check your phone as you take the first sip of coffee in the morning, expecting an empty inbox (ha!) since you’ve just been on vacation.
But, no. You find a lone email from the car rental company Hertz.
From: Sanghi, Benjiit <...@hertz.com>
Subject: Vehicle Damage Rental Record #5899372
He hopes the email finds you well. It did - up until you read the damage subject line.
Strange, you didn’t get into an accident during your vacation, and the agent checking in the vehicle didn’t reference an accident or note any damage. You rented from Hertz since you enjoy paying more for a reputable name-brand company to take care of your transportation needs.
This must be a scam. But you did just rent from Hertz - did they find some damage after the fact?
You look more closely at the email again, coffee forgotten.
The email is well written (acceptable, anyways).
The signature looks legitimate.
The From domain is legitimate: hertz.com
.
You check the email records, but things look like they’re configured correctly. DMARC is set to quarantine (send to junk), and SPF says only Proofpoint can send emails.
Well, let’s view the QR code—where does it go? We’ll set aside the fact that viewing a QR code on your phone screen is the least convenient thing ever.
After jumping through saving and image searching, you see that it goes to… a bit.ly link? http://bit.ly/3H6KNYw?r=qr
This is precisely the URL shortener used when hackers want to hide the fact that their phishing link is going to trust-me-this-is-not-a-hacking-site-stealing-your-password.com.
Let’s add a +
to the end of that so we can see where it goes: http://bit.ly/3H6KNYw+
htzra.com
? Definitely scammy - phishing sites always use misspellings of words and brands, hoping you don’t notice anything is awry.
Let’s look up who registered that domain.
Hmm, private registration with GoDaddy. Not typical of a major corporation. It doesn’t look anything like the legitimate hertz.com
which is owned by The Hertz Corporation
.
Your interest is piqued, and you follow that link to https://eclaim.htzra.com/
.
It doesn’t look too broken; it has recognizable logos, and you see a form asking for more information!
Forms are a great way to steal information. You almost expect it to ask for your credit card details next just for “verification” purposes.
You pause for a second, curious what the main htzra.com
site is hosting (without the “eclaim
” subdomain).
It has an insecure certificate and isn’t set up correctly to show what the site is about, giving a stock web server error message.
You scoff, thinking this is almost certainly a novice hacker trying to harvest information.
You decide to submit a claim and see what happens.
After submitting fake information (and surprisingly, there’s no request for your credit card details), you see your “accident report” summary at /accident-report/12345
.
Accident Report 12345
- what are the chances?! Who was the unlucky submitter who got accident report 12344
? You quickly change the number in the URL and hit enter.
Whoops. It loads the record immediately. Adam [Redacted] got 12344
. Steven [Redacted] submitted 12343
. Neil [Redacted] submitted 12342
. You can see all the reports by just entering the report number!
And to add insult to their injuries, the report shows the injured’s address, phone number, and age.
It looks like the company Hertz hired to build htzra.com
, doesn’t have great application security practices. This is a classic access control vulnerability known as Insecure Direct Object Reference.
You call Benjiit and tell him there’s been a mistake, toss out your cold coffee, and make a new cup.
Next family vacation, you’re renting from Sixt - at least they have a bug bounty program.
Adversis reported this issue to Hertz and their vendor shut down the application along with access to the information in just a few days. Kudos to the team for taking quick action.
September 13, 2024 - CERT responded, stating the domain is no longer accessible
September 5, 2024 - Identified and reported to cybersecurity email address