> As recently seen with Intel, there seems to be a trend where developers will do this pointless client-side decryption. When the client has the key, it’s strange that anyone would think that would be secure.
I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.
When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.
Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.
I am a pretty cookie cutter developer. We just make glorified CRUDs and I have tried to convince the engineering director hundreds of times that "There is no use of encrypting and decrypting localstorage with a key thats sitting right inside the client code." Yet they keep insisting on it in the code-quality checklist.
You’re right, of course, but this reminds me of when Chrome didn’t obscure your passwords when looking at its autofill settings. The developers argued that it would just be security by obscurity -- if somebody has access to your computer when it’s unlocked, they can do anything they want, so obscuring your passwords does nothing.
The counter-argument is, even if it’s not perfectly secure, that extra bit of friction before you can see the passwords is useful, and may just save your bacon if a casual thief has access to your computer for a few seconds.
The Chrome team eventually saw sense and added some client-side password protection.
As long as you don’t only have client-side protections, of course (and maybe your clueless auditors were making that mistake).
Assuming that youve been mitm'd is a different violation of trust. And when you break your own assumptions, well of course nothing makes sense. Were i the burp baby i would've asked why you think we should not defend against literally any other side channel because maybe they broke tls.
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
Very realistically, why shouldn't these developers be replaced by AI? The anti-AI argument I've always seen here is that AI is bad at security. But human developers at orgs like TCS don't seem...any better?
> October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
Sending it with AES encryption(with the key that the client has access to) makes it even worse, as someone knew this shouldn't be shared to client yet they shared it anyway.
It's a side effect of pay. Like every other company, you get what you pay for, and for organizations that view web security as a [edit:] Cost Center (eg. Tata Motors) there's no incentive to pay market rate for a Security Engineer - who in India can now demand $60k-100k TCs.
Heck, firms that provide offensive security capabilities to Indian PDs can pay $40k-50k after poaching a junior pentester or exploit developer from a PD.
The customer portal of India's largest insurer with a marketcap of $63B has literally not changed even once in the 14 years that I've been using it to pay my policy premiums
I'm a cofounder of a data and identity security startup operating specifically in APAC.
Data security in india a joke.
I would argue even with DPDPA, RBI C-Site and cyber resilience framework from SEBI, it is just going to not happen here.
The list PAN card the blog is taking about is probably already leaked by some other services.
The recent flipkart cash on delivery scams [1] are example of how your personal information is just out there in wild in india, open for exploitation.
There are lot of who do security in good faith (often driven by compliance) and lot of them are our customers too but I hope to see rest of indian tech ecosystem take security seriously.
I've dealt with Indian companies for security sales and I'd say the newer generation of companies like Razorpay (YC W15) are decent at SecOps, but the older and more established companies suck at it and will continue to suck at it until there is a tangible regulatory incentive to enhance security postures.
It also appears to be a side effect of compensation - why would mid-career security professional want to earn ₹15 LPA TC working for a legacy corporation if they have the skills to land at a security MNC that can afford to pay ₹35-50 LPA in TC.
Ofc, it's us foreign investors who are able to afford those higher TCs ;) - especially if we can convert someone who was mid-career in the US but had to return to India due to family or visa issues.
It reminds me of how the Israeli security scene was 10-15 years ago, with similar problems around compensation and brain drain to MNC offices.
> September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated.
September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active.
October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done.
October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Total tangent, but I got to ride in some of these on a recent trip to India and I was really impressed with the build quality and utilitarian usefulness of the design.
This might be the first time I felt disappointed and sad reading an article like this. The commented username and password felt like something from an early 2000s tv show with the tech guy doing “hacking”.
Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.
This may look "boring" or "uninspired" but this is what real cybersecurity and "hacking" looks like.
In most cases, security and QA are essentially two sides of the same coin - and this is why I get pissed when devs treat testing and QA as bulls**t, becuase even a relatively simple XSS attack or cred misconfig can have a massive impact.
You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.
If you weren't aware of it... There is a world of static application security tools (SAST) which can help you. Add them to your text editor/ci/cd to use them.
Users in India wouldn't care that much about privacy of their data as much as the Western folks do. This reduces the importance of this whole episode and I don't think this news flashed across TV screens or caused a debate anywhere.
India is a karma society. Karma doesn't mean upvotes. It means, you get what you destined for, or what you deserve. People take things in their stride and keep moving, while keeping their eyes wide open. When you are moving through a jungle, there is no point in blaming thorns or getting angry on wild animals.
So basically you are saying that India is a society that is still soaked in an ideology that justifies the special privileges of temple staff and tells peasants that being a sharecropper in a rent for protection racket is their own fault, so hand it over, and moreso that you approve. You sound like every temple staff worker ever. Grow up.
The kind of cope certain people come up with to justify the faults (and lack of basic living standards) of a civilization are insane.
India is not a "karma" society, India is a 'jugaad' society where everyone does just enough to get by. The lack of civilizational will power to fix things which slightly harm the entrenched elite is very well known. (case in point - the recent stray dogs issue where the life of common man was put in danger because some rich animal welfare aunties protested against it).
Thankfully Indian gen Z at least accepts these problems. Look at the memes on the gen Z spaces. Internet has let them know that living standards can be much better and other countries have risen from similar poverty levels. So there's some hope.
You can't keep doing this 'india is not for beginners' forever.
hannofcart|4 months ago
I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.
When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.
Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.
sayamqazi|4 months ago
iainmerrick|4 months ago
The counter-argument is, even if it’s not perfectly secure, that extra bit of friction before you can see the passwords is useful, and may just save your bacon if a casual thief has access to your computer for a few seconds.
The Chrome team eventually saw sense and added some client-side password protection.
As long as you don’t only have client-side protections, of course (and maybe your clueless auditors were making that mistake).
halJordan|4 months ago
EatonZ|4 months ago
tonyhart7|4 months ago
burp suite babies is crazy work
thelastgallon|4 months ago
The 'tech' for both these is by guess who? TCS!
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
[1] https://en.wikipedia.org/wiki/Tata_Group
cjs_ac|4 months ago
spaceman_2020|4 months ago
rdtsc|4 months ago
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
speckx|4 months ago
quickthrowman|4 months ago
Linkd|4 months ago
darth_avocado|4 months ago
YetAnotherNick|4 months ago
horns4lyfe|4 months ago
unknown|4 months ago
[deleted]
sharadov|4 months ago
Look at the websites - most look like they've not been upgraded since the 90s, with endless popups
alephnerd|4 months ago
Heck, firms that provide offensive security capabilities to Indian PDs can pay $40k-50k after poaching a junior pentester or exploit developer from a PD.
spaceman_2020|4 months ago
Ylpertnodi|4 months ago
Ypu get popups? What are you using to browse? IE5?
I sometimes get 'this site is trying to open another window -allow/ block?': answer is always 'No'.
paxys|4 months ago
ksynwa|4 months ago
tehlike|4 months ago
Some go on to sue such researchers.
DaSHacka|4 months ago
unknown|4 months ago
[deleted]
pkphilip|4 months ago
debarshri|4 months ago
I'm a cofounder of a data and identity security startup operating specifically in APAC. Data security in india a joke.
I would argue even with DPDPA, RBI C-Site and cyber resilience framework from SEBI, it is just going to not happen here.
The list PAN card the blog is taking about is probably already leaked by some other services.
The recent flipkart cash on delivery scams [1] are example of how your personal information is just out there in wild in india, open for exploitation.
There are lot of who do security in good faith (often driven by compliance) and lot of them are our customers too but I hope to see rest of indian tech ecosystem take security seriously.
[1] https://www.reddit.com/r/FuckFlipkart/comments/1hhrw9w/what_...
alephnerd|4 months ago
It also appears to be a side effect of compensation - why would mid-career security professional want to earn ₹15 LPA TC working for a legacy corporation if they have the skills to land at a security MNC that can afford to pay ₹35-50 LPA in TC.
Ofc, it's us foreign investors who are able to afford those higher TCs ;) - especially if we can convert someone who was mid-career in the US but had to return to India due to family or visa issues.
It reminds me of how the Israeli security scene was 10-15 years ago, with similar problems around compensation and brain drain to MNC offices.
fakedang|4 months ago
> September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated. September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active. October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done. October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Stay classy TCS.
faridv|3 months ago
guluarte|4 months ago
https://imgur.com/a/ybFcY5Y
https://imgur.com/Pf7ywbK
driverdan|4 months ago
chisleu|4 months ago
coldfoundry|4 months ago
Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.
alephnerd|4 months ago
In most cases, security and QA are essentially two sides of the same coin - and this is why I get pissed when devs treat testing and QA as bulls**t, becuase even a relatively simple XSS attack or cred misconfig can have a massive impact.
spprashant|4 months ago
fred_is_fred|4 months ago
qwertytyyuu|4 months ago
sreetamdas|4 months ago
connectsnk|4 months ago
UltraMagnus|4 months ago
You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.
unsungNovelty|4 months ago
https://owasp.org/www-community/Source_Code_Analysis_Tools
EatonZ|4 months ago
I worked for them a little bit and their product is really impressive and works great.
heretoread9000|4 months ago
vivzkestrel|4 months ago
defraudbah|4 months ago
guluarte|4 months ago
prettywoman|3 months ago
[deleted]
prettywoman|3 months ago
[deleted]
ilegitmadethisw|4 months ago
[deleted]
tuktoyaktuk|4 months ago
[deleted]
babra1|4 months ago
[deleted]
yahoozoo|4 months ago
zkmon|4 months ago
India is a karma society. Karma doesn't mean upvotes. It means, you get what you destined for, or what you deserve. People take things in their stride and keep moving, while keeping their eyes wide open. When you are moving through a jungle, there is no point in blaming thorns or getting angry on wild animals.
inavida|4 months ago
never_inline|4 months ago
India is not a "karma" society, India is a 'jugaad' society where everyone does just enough to get by. The lack of civilizational will power to fix things which slightly harm the entrenched elite is very well known. (case in point - the recent stray dogs issue where the life of common man was put in danger because some rich animal welfare aunties protested against it).
Thankfully Indian gen Z at least accepts these problems. Look at the memes on the gen Z spaces. Internet has let them know that living standards can be much better and other countries have risen from similar poverty levels. So there's some hope.
You can't keep doing this 'india is not for beginners' forever.