[HN Gopher] Decrypting Blind's Encrypted API ___________________________________________________________________ Decrypting Blind's Encrypted API Author : jonluca Score : 39 points Date : 2020-03-21 19:16 UTC (3 hours ago) (HTM) web link (blog.jldc.me) (TXT) w3m dump (blog.jldc.me) | bowmessage wrote: | I've gone through this same exercise in the past in order to | mass-delete a large number of comments on different threads. I | was afraid that Blind may one day suffer a data leak. I attempted | to reroll the crypto in Ruby, but ultimately failed and went the | JS route, same as the author. I also had to roll my own sesion- | token refresh logic. Finally I was wondering if any kind of data | mining could be done with the tool, but I never took it that far. | Thanks for the writeup! | choppaface wrote: | Well they already had at least one breach: | https://techcrunch.com/2018/12/20/blind-anonymous-app-data-e... | sonicggg wrote: | You'd think that engineers from top - tier tech companies | would know better, before sharing sensitive information on | some random website. | tehlike wrote: | People like venting. | kccqzy wrote: | This is yet another reminder that good JS minification tools | exist that can absolutely change object properties into short | minimal strings instead of descriptive names. It's called the | Closure Compiler in advanced mode. You do have to have quite a | bit of discipline in writing the JS to have that though. | jiofih wrote: | Is there any point in encrypting API payloads when the traffic is | going via TLS? | thenewnewguy wrote: | In theory: no, because anyone able to break the TLS could just | slip in some JS to capture your comments. | | In practice: possibly, because many companies use TLS proxies | that probably aren't doing that? | jiveturkey wrote: | For blind? yes. It is designed to be anonymous from your | employer. Many employers, especially those for which employees | would enjoy anonymous complaining, have TLS-intercepting | middleboxes. | bowmessage wrote: | How would that work, unless the Blind posters are posting | from corp-managed phones which have company-signed certs | installed? | RyJones wrote: | lots of places use an MDM profile if you connect to work | email, for instance. | SlowRobotAhead wrote: | This kind of deep packet inspection is in no way limited to | phones. | chocolatkey wrote: | Potentially to prevent MITM proxies on company computers from | being able to sniff the traffic. Maybe because of what blind is | about, that would make sense? Otherwise, if it's secure TLS, | then no reason at all | | Edit: maybe the reason they use public key for transmission is | because you can't reverse that, and that would potentially be | where your anonymous complaints your complaints (or whatever | you do on blind) would be? | andersonmvd wrote: | Reasons I can think of: depends whether you assume TLS is not | going to be broken again and whether the TLS termination | happens before the component you want to process the data, to | do any sort of check, e.g., web application firewall. With the | goal of reducing insider threat and reducing exposure of | sensitive data to components that don't need to know such data. | However usually it's a bad idea to solely rely on javascript | crypto: https://www.nccgroup.trust/us/about-us/newsroom-and- | events/b... | eralps wrote: | Nice article! I always wonder what the legal aspects of | publishing a reverse engineering article for a private API are? | Does the company that the API belongs to have rights to an | obligatory take down request? | userbinator wrote: | Is it really "private" if everyone with a browser and a brain | can see what it's doing...? ___________________________________________________________________ (page generated 2020-03-21 23:00 UTC)