Sending it with AES encryption(with the key that the client has access to) makes it even worse, as someone knew this shouldn't be shared to client yet they shared it anyway.
The customer portal of India's largest insurer with a marketcap of $63B has literally not changed even once in the 14 years that I've been using it to pay my policy premiums
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
Very realistically, why shouldn't these developers be replaced by AI? The anti-AI argument I've always seen here is that AI is bad at security. But human developers at orgs like TCS don't seem...any better?
> October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
> September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated.
September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active.
October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done.
October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
I'm a cofounder of a data and identity security startup operating specifically in APAC.
Data security in india a joke.
I would argue even with DPDPA, RBI C-Site and cyber resilience framework from SEBI, it is just going to not happen here.
The list PAN card the blog is taking about is probably already leaked by some other services.
The recent flipkart cash on delivery scams [1] are example of how your personal information is just out there in wild in india, open for exploitation.
There are lot of who do security in good faith (often driven by compliance) and lot of them are our customers too but I hope to see rest of indian tech ecosystem take security seriously.
This might be the first time I felt disappointed and sad reading an article like this. The commented username and password felt like something from an early 2000s tv show with the tech guy doing “hacking”.
Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.
> As recently seen with Intel, there seems to be a trend where developers will do this pointless client-side decryption. When the client has the key, it’s strange that anyone would think that would be secure.
I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.
When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.
Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.
You’re right, of course, but this reminds me of when Chrome didn’t obscure your passwords when looking at its autofill settings. The developers argued that it would just be security by obscurity -- if somebody has access to your computer when it’s unlocked, they can do anything they want, so obscuring your passwords does nothing.
The counter-argument is, even if it’s not perfectly secure, that extra bit of friction before you can see the passwords is useful, and may just save your bacon if a casual thief has access to your computer for a few seconds.
The Chrome team eventually saw sense and added some client-side password protection.
As long as you don’t only have client-side protections, of course (and maybe your clueless auditors were making that mistake).
Assuming that youve been mitm'd is a different violation of trust. And when you break your own assumptions, well of course nothing makes sense. Were i the burp baby i would've asked why you think we should not defend against literally any other side channel because maybe they broke tls.
Users in India wouldn't care that much about privacy of their data as much as the Western folks do. This reduces the importance of this whole episode and I don't think this news flashed across TV screens or caused a debate anywhere.
India is a karma society. Karma doesn't mean upvotes. It means, you get what you destined for, or what you deserve. People take things in their stride and keep moving, while keeping their eyes wide open. When you are moving through a jungle, there is no point in blaming thorns or getting angry on wild animals.
Total tangent, but I got to ride in some of these on a recent trip to India and I was really impressed with the build quality and utilitarian usefulness of the design.
42 comments
[ 4.9 ms ] story [ 73.2 ms ] threadLook at the websites - most look like they've not been upgraded since the 90s, with endless popups
The 'tech' for both these is by guess who? TCS!
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
[1] https://en.wikipedia.org/wiki/Tata_Group
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
> September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated. September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active. October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done. October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Stay classy TCS.
I'm a cofounder of a data and identity security startup operating specifically in APAC. Data security in india a joke.
I would argue even with DPDPA, RBI C-Site and cyber resilience framework from SEBI, it is just going to not happen here.
The list PAN card the blog is taking about is probably already leaked by some other services.
The recent flipkart cash on delivery scams [1] are example of how your personal information is just out there in wild in india, open for exploitation.
There are lot of who do security in good faith (often driven by compliance) and lot of them are our customers too but I hope to see rest of indian tech ecosystem take security seriously.
[1] https://www.reddit.com/r/FuckFlipkart/comments/1hhrw9w/what_...
I worked for them a little bit and their product is really impressive and works great.
Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.
I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.
When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.
Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.
burp suite babies is crazy work
The counter-argument is, even if it’s not perfectly secure, that extra bit of friction before you can see the passwords is useful, and may just save your bacon if a casual thief has access to your computer for a few seconds.
The Chrome team eventually saw sense and added some client-side password protection.
As long as you don’t only have client-side protections, of course (and maybe your clueless auditors were making that mistake).
India is a karma society. Karma doesn't mean upvotes. It means, you get what you destined for, or what you deserve. People take things in their stride and keep moving, while keeping their eyes wide open. When you are moving through a jungle, there is no point in blaming thorns or getting angry on wild animals.
https://imgur.com/a/ybFcY5Y
https://imgur.com/Pf7ywbK