
At Blind, a security lapse revealed private complaints from tech employees - Eschatologist
https://techcrunch.com/2018/12/20/blind-anonymous-app-data-exposure/
======
ineedasername
I'd never checked out Blind before. I just went there and checked out a few of
the front page posts & comments. It has some of the most toxic and destructive
"advice" I've seen for people asking for help or insight. I'm a bit astounded.
Is this typical?

~~~
sharadov
It's pathetic, you see some of the most depraved, narcissistic members of the
tech society there. The quality of the discourse you can guess is shockingly
bad, and most people are from the Bay area. Is this an accurate representation
of people in the Bay? Or is it just a platform for toxic folk to hang out?

~~~
marijnz
I spent more time reading the threads than I should have, it's strangely
addicting. I now feel naive for thinking that the people working at the big
tech companies have a certain base level of "all-round" skills. In no way I
expected so much cynicism, narcism and lack of empathy! Isn't this showing up
in interviews? Or should it just be seen as online trolling and venting?

~~~
yulaow
Sociopaths are extremly good in faking empathy or a friendly personality when
in need (eg interviews). To actually recognize them you have to look very
close for at least some weeks once they feel they are not risking their
initial position anymore. Sadly most companies at that point have no way of
managing these guys or to recognize they have to fire them (often because they
are still extremly careful to keep faking their personality with the higher
ups, while being toxic to those below and at the same level of them)

~~~
dpark
Most assholes aren't sociopaths. The pseudo-anonymity and "exclusivity" of
Blind encourages trolls and assholes to congregate. People say things just to
piss others off, and they also say "publicly" the douchebag things they'd
normally only say to close friends/family (overt racism, homophobia,
xenophobia, etc). None of this means they are actually sociopaths, though.
Just run of the mill assholes and trolls.

------
northerdome
Anyone who believes a random startup that advertises they provide anonymity in
security on their homepage is smoking something strong. No legitimate company
that cares about security makes such absolute statements.

------
mrep
Lol. I like the concept of blind but it is one of shittiest apps I have used.
Their app consistently doesn't respond correctly to buttons and their
redesigns just make their user interface worse.

Oh, and on the topic of security, one guy found a SQL injection exploit and
demonstrated it by giving any users who commented on their post 100 likes...

------
bg24
I have used blind. Some posts were pretty blatant. Just like Madison-Ashley,
someone is going to dump all those posts in future. And somebody will create
an indexable search, maybe paid access for employers - instead of open access
for public. Not a good thing.

------
xivzgrev
Sounds like they don’t give a shit and only reacted when TC was going to write
a story about it. Surprising given that user trust is at the core of their
business, and without it they have nothing.

~~~
foobiekr
Their inaction on being notified is quite damning.

~~~
whatshisface
If I was an evil CEO, I would purposely start an anonymous messaging platform
just to collect compromising statements.

------
duxup
>At its core, the app and anonymous social network allows users to sign up
using their corporate email address, which is said to be linked only to
Blind’s member ID.

People just trusted it?

I get that to seem legitimate the users have to be confirmed in some way, but
as a user... now way am I exposing myself that way.

~~~
zlast
The emails were "sitting plaintext in an exposed database."

Major things wrong: unencrypted email addresses + private messages, leaving
the database without a password, database wasn't fixed until a week after
knowing of the error.

I find it concerning that this kind of news seems normal now.

~~~
duxup
The scale of poor security by default these days is pretty horrifying.

------
drngdds
Using Blind with your company email on the company WiFi seems really dumb?
Maybe I'm paranoid, but I act as though everything that goes through my
company WiFi and on my company computer is being tracked and stored in some
database forever under my name.

And I assume the company email is used to send you a verification email, which
means your employer is now tipped off to the fact that you're using a site to
anonymously criticize them.

~~~
rootsudo
Correct, it's very easy to find out who in the company is on Blind -- most
corporations use Exchange.

Easy as this: [http://ivan.dretvic.com/2011/05/remove-specific-email-
from-a...](http://ivan.dretvic.com/2011/05/remove-specific-email-from-all-
mailboxes-in-exchange-2010-sp1/)

The article says "remove" but before you remove, you need to list all
employees that have that email - if you just make a test account or look for
the domain then you can pipe the results to a text file and that's your list
of company insiders who are on the platform.

What leadership does with that info, is well, never good.

~~~
yanslookup
Posted above but someone at my org sent an invite to everyone. Having a list
of everyone that received an invite does not mean they signed up...

~~~
rootsudo
No, but people who did have an email confirmation. You can search not only
from domain sent, but from subject and body.

~~~
yanslookup
What? The invite email from blind is the email confirmation from blind...

------
saagarjha
> The database also contained passwords, which were stored as an MD5 hash

!!!

~~~
eat_veggies
> Kim denied this. “We don’t use MD5 for our passwords to store them,” he
> said. “The MD5 keys were a log and it does not represent how we are managing
> data. We use more advanced methods like salted hash and SHA2 on securing
> users’ data in our database.”

!!!!!!

~~~
farazzz
Isn’t SHA2 the standard hashing algorithm? If not, what do people use now?

~~~
stef25
Back when I was a super junior php dev I stumbled across a post by Cal
Henderson about using bcrypt [https://www.iamcal.com/2012-06/use-
bcrypt/](https://www.iamcal.com/2012-06/use-bcrypt/)

His lib is can be dropped in to any project (that doesn't have something
similar built in already)
[https://github.com/iamcal/lib_bcrypt](https://github.com/iamcal/lib_bcrypt)

Anyone writing code has no excuse for not using this, it's not rocket surgery.

~~~
highesttide
It's worth noting that the current standard encryption and password hashing in
the php core is great, with no external dependencies added

------
dgzl
This bothers me:

> The database also contained passwords, which were stored as an MD5 hash, a
> long-outdated algorithm that is nowadays easy to crack. Many of the
> passwords were easily unscrambled using readily available tools when we
> tried.

That's not how hash functions work...

> Kim denied this. “We don’t use MD5 for our passwords to store them,” he
> said. “The MD5 keys were a log and it does not represent how we are managing
> data. We use more advanced methods like salted hash and SHA2 on securing
> users’ data in our database.”

This sounds much more likely.

> (Logging in with an email address and unscrambled password would be
> unlawful, therefore we cannot verify this claim.)

So, they directly claim that weakly hashed passwords were available (and
unscramble-able, apparently??), but they're unable to prove this and they're
ignoring the company's reasonable explanation. Great reporting.

~~~
austincheney
> That's not how hash functions work...

Kind of. A hash function just provides a near random set of characters of
fixed length for a given set of input in a way where the output characters are
reproducible for the given input. Passwords are not stored. It is the computed
hash value that is stored. When a user attempts to login with a username and
password the password is hashed and compared to the stored hash.

That said you don't need the actual password to login. Any input that hashes
to the same hash string is acceptable, which is called a hash collision. When
they say _cracking the hash_ this is likely what they mean, and its trivial to
compute provided a rainbow table.

Salting provides an additional round of computation. For example let's say a
user is trying to login. Their password is hashed but before the hashed are
compared some additional information is added on the end of the computed hash
and that new value is hashed. It is this new hash that is compared with the
stored hash, which requires knowledge of the hash algorithm, the salt, and the
hash value. You can generally guess the final hash algorithm in question by
observing the character length of the stored hashes, but since there are two
hash computations a different hash algorithm could be used for the first round
of hashing.

To be secure the salt must be stored in a different location from the stored
hashes and the salt value should not be statically visible in the source code
provided a source code compromise. Statically expressed passwords are uploaded
to code repositories all the time. Don't believe that you are protected from
associated vulnerabilities merely because the code base isn't open source.

To the article's defense neither claim was verified, but both claims were
reported. When the journalist cannot validate a claim themselves, or with
experts, it is completely acceptable to report the claim and report the
validation status.

~~~
throwawaymath
It's cool that you jumped on the opportunity to explain how password hashing
works. However, the reporter actually cracked hashes, so we can bypass all of
this discussion and plainly see the hashes were insecure.

And for what it's worth:

 _> To be secure the salt must be stored in a different location from the
stored hashes and the salt value should not be statically visible in the
source code provided a source code compromise._

This isn't true. Your salt can be totally public if you're using a robust key
derivation function. Likewise you can make e.g. the work factor (rounds)
public for bcrypt and N, r and p public for scrypt (cost factor, block size
and parallelization parameters).

The rest of what you said about secrets management in code is sound though.

~~~
austincheney
You cannot crack a hash though. It is just a string of fixed length. Nobody
says _crack a string_ because it sounds ridiculous.

> Your salt can be totally public if you're using a robust key derivation
> function.

That is a deliberate strawman. If your salt is based on keys there is still
information you aren't exposing even if you are exposing the salt itself.

~~~
throwawaymath
Uh, what? You can obviously crack a hash digest, and this is standard
nomenclature used in both industry and academia. It simply means you've broken
preimage resistance or collision resistance in practice. What exactly do you
find controversial about this?

And your second paragraph doesn't follow. What I said isn't a strawman attack,
it's a basic observation. If you're not using a secure key derivation
function, a private salt will not save you. If you are, the salt can be public
and there is no meaningful degradation in security whatsoever - you could even
prepend or append it to the digest if you'd like.

As a broader point, what you're saying about fixed-length strings is
incorrect. Hash functions need not output strings of fixed length. The formal
definition of a hash function also admits functions of the form:

    
    
        H: {0, 1}^* -> {0, 1}^*
    

not just functions of the form:

    
    
        H: {0, 1}^* -> {0, 1}^n.
    

Or in other words, the codomain need not be finite, and the range can be
variable. Keccak (SHA-3) is an example of a hash function which provides
variable-length output instead of fixed-length output (i.e. via the sponge
construction).

------
xiphias2
They made a big mistake, but generally I love reading Blind. There are a lot
of interesting things on it about which I couldn't talk even to my own
colleagues.

~~~
ggggtez
As many others, I had heard about it and never actually took a look until now.
Seems like a waste of time to me. Make a throw away account on Reddit like
everyone else, and you'll probably get more well thought out and measured
replies.

~~~
xiphias2
On Reddit I have no idea where a person who replies really works.

You either haven't found the interesting threads or the interesting replies
from internal people that make Blind different.

~~~
ggggtez
Obviously your mind is made up, but I don't think you've considered that you
don't _really_ know that someone is a VP at X company on Blind, either. They
_could_ be a janitor.

People are welcome to enjoy whatever fiction they want to read. I'm just
saying you'll probably find more useful and reliable information elsewhere.

------
blahblahblogger
> Blind claims on its website that its email verification “is safe, as our
> patented infrastructure is set up so that all user account and activity
> information is completely disconnected from the email verification process.”

Wow a patented infrastructure! Dope!

I wonder if it's open source so that can be validated objectively?

~~~
nathanvanfleet
I guess you can at least look up the patent and validate the idea.

------
simonebrunozzi
"Blind claims on its website that its email verification “is safe, as our
patented infrastructure is set up so that all user account and activity
information is completely disconnected from the email verification process.”

"Patented infrastructure"? It smells like BS to me.

------
mosselman
"Uber — which later blocked the app on its corporate network."

Reason enough not to work there if you ask me.

~~~
aryamaan
I don't think this claim is true. Friends who work there clarified they can
use Blind at the corp network.

~~~
uber-employee
No, it’s true. This was right after the Susan Fowler event when Uber’s Blind
channel blew up in membership. They blocked it, people just laughed and turned
off wifi, and then they unblocked it a few weeks later.

~~~
aryamaan
Alright. Sorry, I took it as it's banned at the moment too.

------
quickthrower2
Use 4chan as 'anonymous' instead. Or better, a throwaway account on HN.
Remember your VPN.

------
hknd
I enjoyed blind during their early days, now all threads are the same: "HEY,
starting at company XYZ at level N, with total comp of YYYY. Is that good"
"No, that's not possible you are lying!" "Hell yeah, well done mate" ...

------
toss1
Their core functionality is to keep the confidentiality of its users.

There is widespread available technology and know-how on how to do this
successfully and consistently.

Blind failed miserably at this fundamental task.

Yet... >>Blind last month secured another $10 million in new funding after a
$6 million raise in 2017

So the VCs are perfectly happy to dump millions into a company that is
dishonest and incompetent (see also Uber, Theranos), while thousands of
competent honest startups go begging.

Provides a bit of background into why most VC funds struggle to outperform the
market

------
dmode
Like any anonymous forums, Blind is toxic. Hope it dies a quick death

~~~
chillacy
For all the toxicity blind is one of the best resources to discover comp info
online, since sharing salary is still a bit taboo. Some of it is e-statting
but I’ve found it to be useful for when you negotiate comp.

~~~
haditab
There's so much misinformation on it I find it hard to trust. I prefer to go
with H1B salary databases.

~~~
mcpherrinm
H1B databases tend to underestimate. My entry in the database lists my
starting salary from a few years ago, with no bonuses, options/rsus, or
promotion/raises.

~~~
chillacy
levels.fyi is pretty good since it has the bonuses and rsus, but sometimes it
doesn't have everything if it doesn't fit into that structure

~~~
vonmoltke
levels.fyi only really works for companies that have large numbers of reports.
The raw data has so many reporting inconsistencies that it's really hard to
interpret for most companies.

------
firemancoder
They say "anonymous" but right after signing up with my work email they
followed me on Twitter. The two are only connected by my name. Could be
coincidence, but probably not.

Also, the community there is pretty toxic. I understand it's mostly the design
of the app to be a place where people can say what they want, but I think it
attracts a certain type that I'm not terribly interested in getting close
with.

------
jiveturkey
[https://www.teamblind.com/faqs](https://www.teamblind.com/faqs)

> Email verification is safe, as our patented infrastructure is set up so that
> all user account and activity information is completely disconnected from
> the email verification process.

[https://patents.google.com/patent/US9439072B2/en?oq=9%2c439%...](https://patents.google.com/patent/US9439072B2/en?oq=9%2c439%2c072)

> Certain embodiments herein also provides a system and method for
> authentication, which can prevent service users' identities from being
> exposed even by hacking of a terminal or server side of a service provider,
> negligence in information management or a manager's misconduct.

impossible.

> Certain embodiments herein also provides a system and method for
> authentication, which can store information provided by a service user
> during subscription and authentication procedures in such a manner that the
> information cannot be decoded from a side of a service provider's server.

Impossible without a trusted 3rd party to perform the authentication and
return a token to the service provider. Which is a well known and well
deployed, not novel technique.

Patents are hard to read, and this one is no exception. Unfortunately I don't
have enough interest to invest the time required, but at a glance it seems
that the technique is to have an authentication server that can hide the user
identity from the relying service, basically by replacing it with a token. Too
obvious.

But there's some kind of dedup exchange mentioned; it might be that the auth
server doesn't itself store a list of the identities that it has authenticated
previously so it has to interact with the service (in a blind way) to dedup.
Perhaps the novelty here is that the service itself cannot uniquely identify
users; ie each post could be coming from _any_ user in a group. All the
service knows is that the post is from a user in that group. On its face, that
seems false -- for the first time ever I actually looked at blind and each
post has a user pseudonym as metadata. There would be no point to that
pseudonym if it didn't represent a uniquely identified individual user.

Anyway, all this is meaningless protection unless there is adequate SoD
between the auth server and the service provider, which for teamblind it is
obvious there is not.

------
sjroot
How incredibly convenient for an anonymous social networking dedicated to
complaining about your employer.

</conspiracy>

~~~
tatar
I keep saying this as well, it's not an anonymous forum. It's an HR tool. You
sign up with your company email ffs.

------
randomacct3847
I stopped reading after reading a thread of grown men throw hissy fits because
they thought they were screwed over by their $300k salary when they felt they
“deserved” $400k+

~~~
sidlls
It never fails to amuse me how a worker desiring a better wage is something
frequently and deeply mocked here.

------
tomphoolery
When I deleted my account it said "you will be unable to recover your password
through Blind"

Heh, guess I could just use this table of hashed passwords that they exposed
and figure it out myself ;-)

------
ap3
Love Blind - it has been great help during my job search

------
remote_phone
I’m glad to hear at least they don’t seem to be storing ip addresses.

------
jiveturkey
the whole concept of blind is faulty! there is no way you could trust them to
maintain your privacy. and of course _they_ can read all the dirt on
everything. it’s a guarantee they have no meaningful controls in place.

~~~
jiveturkey
too late to edit.

wanted to add, with all the recent (and we know to be continuously ongoing)
talk about chinese espionage ... who needs high-cost espionage when you can
get employees to air dirty laundry at zero-cost?

------
Vadoff
Wait, Blind doesn't use end-to-end encryption?

~~~
pointcloud
How to use end-to-end encryption on a forum?

------
ultrasounder
It's all about TC this TC that tho occasionally one might be able to glean
some Leetcoding tips. But generally degenerate.

