[pilif]

My favourite issue caused by a corporate firewall was when it altered an AJAX request to replace a specific combination of digits (in a long product ID) by asterisks.

Turns out that a substring of that product ID matched the client company's phone number and their security theatre intercepting proxy was replacing all occurrences of "sensitive" strings sent to the internet with asterisks.

The irony is, of course, that as the people running the site, I didn't know (and would never have wanted to know) the user's phone number until this incident.

How I loathe security theatre.

[HPsquared]

Did you let them know? They of course need to patch this vulnerability by blocking anything containing 11 consecutive digits.

[pstuart]

That's crazy!

The right thing would be to add a lookup function to first verify the phone number is in use and then call the number to ask for permission to use it; followed by a webhook to send a confirmation back to the database to cache that info because this needs to be efficient!

/s

[alexvoda]

How do you propose to tackle the cache invalidation challange?

/s

[deepsun]

Now the other site knows the phone number (they know what was sent, and they see what was replaced by asterisks).

And now they can exfiltrate all the sensitive phone numbers -- just sending clients (you) long strings of numbers, and see what was replaced.

[pandaman]

They have just implemented this protocol http://bash.org/?244321

[slt2021]

this is because you deployed your somewhere in the public cloud and testing it from your workstation over public Internet? This is policy violation, and you need to learn how to develop and test properly over secure channels. Reach out to your Director of Engineering and request proper instructions how to develop and test software.

public Internet facing channel is rightfully scanned and screened for these kind of patterns to prevent unauthorized data loss

[pilif]

I think you misunderstood my tale. I'm running a SaaS business and one of our customers users had this issue when they were interacting with the site because that end user's proxy server was arbitrary altering AJAX requests made by their browsers.

This is a end user making a request to an online shop and the POST request to "add product 123456 to the basket" gets changes to "add the product 12***6 to the basket" by a security* proxy between the end user and the web site.

This isn't specific to the site we run. This would have happened on any site they were posting to.

[alexvoda]

Shouldn't HTTPS prevent this unless the client has the certificate of the MITMer installed?

This being security theatre, it is entirely plausible that the "security" proxy actually decrypted trafic and required the user to have the certificate installed.

[alexvoda]

As I was saying, (from uncle comment):

https://news.ycombinator.com/item?id=33095888

> I work at a government agency and here are my tales.

> 1) They install a root certificate on all machines and use that to MITM all TLS connections using a firewall appliance. They turn this MITM on one day without notifying any developer. Overnight, all our builds (run on-prem) fail because npm install, pip install etc fail and we spent a long time trying to figure it out. They are still failing to this day and I have to get off the VPN every time I need to run these simple commands. IT absolutely doesn't give a flying * about developers.

[Fredej]

Or, hear me out ... Get a different job.

[ornornor]

You must be fun to work with.

[slt2021]

Had to deal with too many interns who go to company server and start updating packages and installing random stuff from internet using wget | sudo bash, like it is their college laptop, just to run some of crappy python snippet they found over at Stackoverflow

[Xelynega]

Why are you giving interns root access to production servers?