Information Leakage from China Life Official Website
The website can freely refresh registered user information, and violently query user information to leak user information. The user information covers the real name, email address, and mobile phone number of the user, which is very harmful to attackers.
You can use the tool to directly access the SOAP interface of www.chinalife.com.cn website, without limit refreshing user registration information. You can use the ID card number or email address to forcibly query registered user information, causing user information leakage. The user information covers the user's mobile phone number and email address.
Http://www.chinalife.com.cn/online/services/appRegisterQueryService? Wsdl
Http://www.chinalife.com.cn/online/services/appRegisterUserService? Wsdl
Using Tools to call the China Life registration interface, you can register without limit, such:
You can use the ID card number through a tool to query all user information without any verification information.
Use ID card numbers for brute-force queries or use user names for brute-force queries
Solution:
Use the key to control access to the client.