Hacker News new | ask | show | jobs
by mdek 1705 days ago
From the article, it sounds like nothing even remotely questionable was done by the reporter who found the flaw:

> "According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages."
5 comments
dylan604 1705 days ago
We've always known that using DevTools was a criminal activity. In fact, the sheer number of people using them places this at criminal conspiracy levels. Better start filing those RICO cases against the browser devs. /s
link
alexjplant 1705 days ago
The US Government has a STIG (Security Technical Implementation Guide [1], a government-proprietary term for "IT policy") that requires that you disable Dev Tools in IE [2], Edge [3] and Chrome[4]. Their justification (from [1]):

> Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging or trace information is enabled in a production web browser, information about the web browser, such as web browser type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any back-ends being used for data storage may be displayed

I wish I were making this up.

[1] https://en.wikipedia.org/wiki/Security_Technical_Implementat...

[2] https://stigviewer.com/stig/microsoft_internet_explorer_11/2...

[3] https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/fi...

[4] https://www.stigviewer.com/stig/google_chrome_current_window...

link
ollien 1705 days ago
I can think of at least one legitimate reason to block the dev console. There are these posts I've seen over the years that say to "press the hotkey to open the Javascript console, and paste this Javascript blob" (obviously in much more persuading terms) to get a discount on RayBands or something. Disabling it prevents a possible information leak vector.
link
alexjplant 1705 days ago
There's a legitimate reason for doing _almost anything_ - it's a question of likelihood, impact, and knock-on effects.

I can only imagine how much taxpayer money has been set on fire by developers having to debug single-page applications running on these systems without the aid of Dev Tools... these types of material wastages are created in an imperfect attempt to prevent the mere possibility of something that could be more effectively mitigated through training and web content filtering.

link
_fat_santa 1705 days ago
I've never seen one in the wild, thought it would be interesting to see what they want you to paste into the console, probably something to transmit them your session token. I know Facebook has a huge warning about it when you open devtools on their site.
link
ollien 1705 days ago
Yeah - they added that warning because of these precise things. I haven't kept one around but I've definitely seen them since I fell for it many, many years ago.
link
dylan604 1705 days ago
This seems really lazy. Duh, it's gov't, but I'm talking about the attacker. If they can use JS to gather all of that info to display in the console hoping to get a user to read it back to them or whatever, why not just save it all and submit back via ajax?
link
codegeek 1705 days ago
How dare you did "View Source", you hacker.
link
jakelazaroff 1705 days ago
What's "view source", some kind of hacking instructions? Sounds like you're abetting.
link
dylan604 1705 days ago
As long as you're not aiding at the same time. Aiding & abetting is a no-no. Aiding OR abetting is not claimed to be an issue.
link
amirhirsch 1705 days ago
you mean Aiding XOR abetting. consider the forum.
link
dylan604 1705 days ago
why does it have to be exclusive? If both are false, then there's no confusion on making a charge. If only one is true, then someone being lazy might think it matches.

along your lines of considering the forum, wouldn't it need to be aiding && abetting? i don't know how to bitwise compare aiding to abetting.

link
jaycroft 1705 days ago
Counterpoint that might get some attention:

"The Governor is in possession of software on his personal computer that allows him to decrypt the personal details of thousands of constituents who may have voted for or against him."

The "software" being a web browser, of course.

link
Buttons840 1705 days ago
> you hacker

What a "hacker" is is a matter of definition.

But, the fact is the state was using "encryption" with such a level of security that pressing one button on any computer with a browser is all that is required to defeat it.

link
jaycroft 1705 days ago
And I'll bet even the governor has access to this decryption software - he's got it installed on his phone, even! He must be hacking on the go.
link
dylan604 1705 days ago
Better hope they only used View Source. Could you imagine the federal crime of using curl or wget to retrieve this data?
link
hoppla 1705 days ago
Some serious Jedi business going on here
link
jjkaczor 1705 days ago
That's why at my current client, DevTools in the browser is blocked through Group Policy...

/not sarcasm, I wish I was joking...

link
unyttigfjelltol 1705 days ago
Translation: search for a certification on the public website, receive an SSN in response. Only 'hacking' by reporter was to then press 'Ctrl+U' in the browser and read the characters.
link
BizarroLand 1705 days ago
He used the basic reading skills that are taught in ever public and private education system in the country to hack us!
link
ghayes 1705 days ago
Imagine if the reporter had used curl…
link
tomrod 1705 days ago
Oh that is so bad.

It's events and negligence like this that give credence to credentialing requirements for software engineering.

link
daviddever23box 1705 days ago
Imagine if we had credentialing requirements for elected office…
link
mywittyname 1705 days ago
I don't think the issue is that elected officials are dumb. I think it's the opposite, most are quite intelligent. It's more that they are evil/corrupt/self-serving, and acting dumb is part of how they get away with it.
link
solveit 1705 days ago
We do. It's called an election. What you want is credentialing requirements for voting.
link
A4ET8a8uTh0 1705 days ago
And US used to have them too. The basic approach was that if you have land, you have a stake in the future of the republic. It was debated as to whether landless would have the same stake.
link
WkndTriathlete 1705 days ago
I'm pretty sure I want credentialing requirements for anyone running for any public office. I'd settle for automatic exclusion of anyone displaying narcissistic, psychopathic, or sociopathic tendencies and inclusion of rational pragmatists.
link
solveit 1705 days ago
I would also "settle" for picking the people I like.

Also, pretty sure that you have to be at least somewhat narcissistic to think that you should be president, and somewhat sociopathic to actually succeed.

link
adrr 1705 days ago
Like redacting a public document by making the redacted parts have a black background with black text. If people can't see it, it is secure.
link
ollien 1705 days ago
Tell me if I'm reading this wrong. I want to be reading this wrong.

Is this saying that when you viewed a certain page (which I assume had only one person's SSN visible, or perhaps other teacher information like names), the "invisible" SSNs were just hidden with `display: none` or similar?

link
ihumanable 1705 days ago
I think what actually happened is that there was a page where you could get information about a particular educator. In the HTML source the server returned for that page private information about *that educator* was included in non-displaying elements.
link
ollien 1705 days ago
Makes sense. Jesus, though.
link