
Stealing private keys from a secure file sharing service - timvisee
https://timvisee.com/blog/stealing-private-keys-from-secure-file-sharing-service/
======
tptacek
We're meant to give credit to a service that fixed an XSS vulnerability in an
hour, and that is indeed a better-than-market turnaround time for an XSS
bugfix.

But consider an alternative perspective: this is a company that was offering
users "encrypted" file transfer mediated by clientside browser Javascript, in
which there is only dubious, marginal cryptographic separation between
customers and the service itself, which could just as easily serve targeted
customers surreptitious DOM updates to override their claimed security
capabilities.

But that _fundamental_ problem didn't matter, because the service didn't even
sanitize basic, obvious user data, and was exposed to a trivial XSS.

~~~
say_it_as_it_is
Aren't you professionally paid to fix these kinds of problems? You would be
out of work if every developer and product manager put exhaustive pen testing
on its to-do list prior to launch.

First to market is your bread and butter, tptacek.

~~~
bresj
(disclaimer: I'm one of the creators of this very unnamed service)

The XSS-issue that was found by Tim was indeed a very fundamental problem
which shouldn't have been in there. We are very happy he disclosed the
information with us so we could fix it directly.

We hired a couple of professional hackers to audit our service but launched
simultaneously. Biggest lesson for us: finish the audit first, launch
afterwards :-)

~~~
say_it_as_it_is
I'm going to give your tech team the benefit of the doubt that it would have
responded to information quickly if it had that information.

Lessons learned here: pay your pen testers quickly because their findings can
affect the reputation of your company, don't launch without responding to
audit results, don't bullshit people working in high tech industries about
what was happening simultaneously, don't blame tech staff for business
decisions

------
noja
1 hour to fix the issue? You should give them some advertising. Hint: a phrase
from the video is all you need.

~~~
netsharc
Hmm, how about no? "We launched an encrypted file transfer tool, but we forgot
to sanitize input" is somewhat pathetic in 2019. What else has saferequest.net
fucked up?

~~~
bresj
(hi, I'm one of the creators)

Hopefully we fucked up nothing else but please do let us know if we did :-) We
do sanitize all input but unfortunately this one slipped through.

------
mkj
If they'd used webcrypto the private key wouldn't be extractable.

~~~
codysc
As long as the proper extractable=false options are set.

I'm doing a project utilizing subtle crypto and I'm, right now, doing an audit
to ensure I've got that setup correctly everywhere.

------
woranl
Wouldn’t Content Security Policy prevents the execution of inline script? Or
have they not use CSP at all?

~~~
bresj
Fixed as of now :-)

