
My car insurance exposed my location - daureg
https://scarpino.xyz/posts/how-my-car-insurance-exposed-my-position.html
======
jimnotgym
comments from the first time this was posted here
[https://news.ycombinator.com/item?id=14314205](https://news.ycombinator.com/item?id=14314205)

------
carbocation
Denouement, in which the author is not rewarded:

> _The company fixed the leak 3 weeks later by providing new Web services
> endpoints that use authenticated calls. The company mailed its users saying
> them to update their App as soon as possible. The old Web services have been
> shutdown after 1 month and half since my first contact with the CERT
> Nazionale._

> _I could be wrong, but I suspect the privacy flaw has been around for 3
> years because the first Android version of the App uses the same APIs._

> _I got no bounty._

> _The company is a leading provider of telematics solutions._

I wonder how much that flaw would have fetched from a malicious actor?

~~~
tptacek
Not much. It's a good finding; as a bounty submission (for a good company), I
could see it getting $1-$2k. But I don't think there's a market for these
kinds of information leakage bugs. As a rule of thumb: if you can't plug a
vulnerability directly into a business process that was already built and
operationalized on _some other vulnerability_ , it's probably not worth
anything on the black market.

~~~
jdavis703
It might be good for class action lawyers and bounty hunters to start teaming
up. Then the company either settles up to avoid a trial and bad publicity, or
else they have an expensive court battle with potential negative PR coming
out.

~~~
tptacek
Something like that already happened with Justine Bone and Medsec.

------
wpietri
Wow. This is gross negligence. Short version: the guy's insurance company had
him put a GPS-enabled device in his car to measure usage. With no auth and
only the car's license plate number, you can track the car, find out who owns
it, and get a bunch of stats.

This is the kind of thing that should result in a fine of millions of dollars.
They never even tried to secure this.

------
sebazzz
I have not seen him mentioning that the web service is apparently invoked over
unsecure http. You can still add authentication, but if the service is running
over http yu might as well not have any authentication at all.

~~~
alasdair_
>I have not seen him mentioning that the web service is apparently invoked
over unsecure http.

It's mentioned. From the blog post: "besides the ugliest formatting ever and
the fact the request uses plain HTTP"

------
razki
Pretty certain I read this last year.

------
kevin_thibedeau
Unless there has been some new innovation in this space, the OBD behavior
trackers are just accelerometers. The typical placement down in the driver's
footwell makes GPS too unreliable to bother with. The GPS correlation comes
from being foolish enough to install their app.

~~~
danepowell
There are many insurance companies that use OBD GPS trackers, as well as
standalone trackers that plug in to the cigarette lighter, in order to charge
based on mileage.

e.g. [https://www.metromile.com/](https://www.metromile.com/)

~~~
smt88
They don't work well. I deal with them at work. The data is terrible.

