 |
| The page not exists; the server that displayed documents from policyholders of various insurance companies has been shut down. |
RESUME
This report details a misconfiguration in a publicly exposed server containing sensitive files belonging to policyholders in the United Arab Emirates. After responsible disclosure to the affected entities and the UAE Cybersecurity Center, the server was taken offline, thereby securing the policyholders’ data. No response was received from the involved parties; the server was simply closed.Who is Insdubai?
It is a portal specializing in the digital management and validation of motor insurance policies in the United Arab Emirates. Its main function is to provide a centralized environment where insurers issue official documents that comply with the regulations of the UAE Insurance Authority.
Finding the exposed data:
 |
| The index page of insdubai.com is open, showing the files of various insurance companies. |
During my investigation, I discovered this server publicly exposed on April 7. It contained approximately 16 GB of data. The folder assets/uploaded-policies held insurance policies uploaded by various insurance companies in the United Arab Emirates. I reviewed the files and identified the following companies, among others:
- Adamjee Insurance
- Dubai National Insurance
- Alliance Insurance
- Orient Insurance
- Sukoon Insurance
- The New India Assurance
- In addition to the intermediary called: RELIANCE INSURANCE BROKERS LLC
Examining the exposed data
The files had been publicly exposed since at least May 30, 2025, although I was unable to confirm an earlier date. Among the various documents found on this unprotected server, the majority were motor insurance policies. These included policies for individuals as well as local businesses and companies in Dubai.
For example, we found a vehicle insurance policy issued by Alliance Insurance that contains the insured’s full name, residential address, telephone number, email address, Emirates ID, policy number, policy type, details of the insured vehicle, coverage period, and premium paid.
 |
The document from the insurance company Alliance Insurance reveals information about the insured who hired an intermediary to carry out this procedure. |
The dates on these documents ranged from 2025 to 2026, indicating that the data had been exposed relatively recently. Google’s search engine had already indexed the server, as shown in the image below.
 |
| Google had indexed the files, but today the page no longer exists and everything has been deleted, insdubai.com |
RISKS
Anyone could easily access and view the personal data of the insured parties on this unprotected server. This significantly increased the risk that malicious actors may have downloaded the files and could exploit the information for scams, fraud, identity theft, document forgery, phishing, extortion, or by selling the data on the Dark Web.
NOTIFYING
On our end, we acted quickly to protect this data and ensure the publicly exposed server was taken offline as soon as possible. To this end, we sent responsible disclosure emails to the affected parties on the following dates:
On April 7, we sent an email to all the insurance companies mentioned in this report, alerting them that a publicly exposed server containing approximately 16 GB of data — including motor insurance policies from various UAE insurers — had been discovered. A copy of this notification was also sent to aeCERT (the UAE National Computer Emergency Response Team).
As is common in responsible disclosure cases, I received no response from any of the insurance companies or from aeCERT. However, I later confirmed that the server stopped responding on April 21, and the domain insdubai.com, hosted on GoDaddy, became unavailable. The data is now protected.
Report published: May 15, 2026
Security Researcher: chum1ng0
0 Comments