42 comments

[ 4.9 ms ] story [ 73.2 ms ] thread
The fact that they put their AWS secret keys on their website is incredible.
Sending it with AES encryption(with the key that the client has access to) makes it even worse, as someone knew this shouldn't be shared to client yet they shared it anyway.
(comment deleted)
If you’ve ever worked with Indian outsourcing firms it’s not
That’s exactly the kind of work I’d expect from TCS, I’m not sure why you are surprised.
Even more importantly, why do the root keys expose EVERYTHING? Do they just have one account for all of their infra?
The fact that it's nicely commented is even more so. Check out the other environment configs commented out, are they doing this by hand? Wild.
So the author got nothing but a thank you out of it? That's a shame.
Security for most Indian companies - even conglomerates is a joke.

Look at the websites - most look like they've not been upgraded since the 90s, with endless popups

The customer portal of India's largest insurer with a marketcap of $63B has literally not changed even once in the 14 years that I've been using it to pay my policy premiums
Related: Jaguar Land Rover hack cost UK economy an estimated $2.5 billion, report says: https://news.ycombinator.com/item?id=45668008

The 'tech' for both these is by guess who? TCS!

Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)

[1] https://en.wikipedia.org/wiki/Tata_Group

Very realistically, why shouldn't these developers be replaced by AI? The anti-AI argument I've always seen here is that AI is bad at security. But human developers at orgs like TCS don't seem...any better?
> October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.

Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.

I'll just leave this here:

> September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated. September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active. October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done. October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.

Stay classy TCS.

This shouldn't be a surprise for anyone who has worked with TCS contractors in the past.
This is a pessimistic comment.

I'm a cofounder of a data and identity security startup operating specifically in APAC. Data security in india a joke.

I would argue even with DPDPA, RBI C-Site and cyber resilience framework from SEBI, it is just going to not happen here.

The list PAN card the blog is taking about is probably already leaked by some other services.

The recent flipkart cash on delivery scams [1] are example of how your personal information is just out there in wild in india, open for exploitation.

There are lot of who do security in good faith (often driven by compliance) and lot of them are our customers too but I hope to see rest of indian tech ecosystem take security seriously.

[1] https://www.reddit.com/r/FuckFlipkart/comments/1hhrw9w/what_...

Are there any open source tools that scans the code and detects such gaffes
trufflehog is a good starting point, then bake in your own simple regex into your github actions or equivalent and make it part of your test suite
I'm curious, why wait so long to publish this? The incident was in 2023.
This might be the first time I felt disappointed and sad reading an article like this. The commented username and password felt like something from an early 2000s tv show with the tech guy doing “hacking”.

Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.

> As recently seen with Intel, there seems to be a trend where developers will do this pointless client-side decryption. When the client has the key, it’s strange that anyone would think that would be secure.

I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.

When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.

Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.

lmao

burp suite babies is crazy work

You’re right, of course, but this reminds me of when Chrome didn’t obscure your passwords when looking at its autofill settings. The developers argued that it would just be security by obscurity -- if somebody has access to your computer when it’s unlocked, they can do anything they want, so obscuring your passwords does nothing.

The counter-argument is, even if it’s not perfectly secure, that extra bit of friction before you can see the passwords is useful, and may just save your bacon if a casual thief has access to your computer for a few seconds.

The Chrome team eventually saw sense and added some client-side password protection.

As long as you don’t only have client-side protections, of course (and maybe your clueless auditors were making that mistake).

Appreciate the insight!
Assuming that youve been mitm'd is a different violation of trust. And when you break your own assumptions, well of course nothing makes sense. Were i the burp baby i would've asked why you think we should not defend against literally any other side channel because maybe they broke tls.
Woah Tata is everywhere, weren't they also the biggest youtube channel?
If there any any TCS employees on Hackernews, please show this post to your management. This is beyond embarrassing on so many levels.
Users in India wouldn't care that much about privacy of their data as much as the Western folks do. This reduces the importance of this whole episode and I don't think this news flashed across TV screens or caused a debate anywhere.

India is a karma society. Karma doesn't mean upvotes. It means, you get what you destined for, or what you deserve. People take things in their stride and keep moving, while keeping their eyes wide open. When you are moving through a jungle, there is no point in blaming thorns or getting angry on wild animals.

Total tangent, but I got to ride in some of these on a recent trip to India and I was really impressed with the build quality and utilitarian usefulness of the design.
He would have had better results if he said "do the needful" in his first email to them.
protip: never trust the client