Hacking India's largest automaker: Tata Motors
Related: Jaguar Land Rover hack cost UK economy an estimated $2.5 billion, report says: https://news.ycombinator.com/item?id=45668008
The 'tech' for both these is by guess who? TCS!
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
> October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
The fact that they put their AWS secret keys on their website is incredible.
Security for most Indian companies - even conglomerates is a joke.
Look at the websites - most look like they've not been upgraded since the 90s, with endless popups
This shouldn't be a surprise for anyone who has worked with TCS contractors in the past.
If there any any TCS employees on Hackernews, please show this post to your management. This is beyond embarrassing on so many levels.
So the author got nothing but a thank you out of it? That's a shame.
This is a pessimistic comment.
I'm a cofounder of a data and identity security startup operating specifically in APAC. Data security in india a joke.
I would argue even with DPDPA, RBI C-Site and cyber resilience framework from SEBI, it is just going to not happen here.
The list PAN card the blog is taking about is probably already leaked by some other services.
The recent flipkart cash on delivery scams [1] are example of how your personal information is just out there in wild in india, open for exploitation.
There are lot of who do security in good faith (often driven by compliance) and lot of them are our customers too but I hope to see rest of indian tech ecosystem take security seriously.
[1] https://www.reddit.com/r/FuckFlipkart/comments/1hhrw9w/what_...
I'll just leave this here:
> September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated. September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active. October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done. October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Stay classy TCS.
btw... some urls in this image contains js with vulnerabilities https://eaton-works.com/cdn-cgi/imagedelivery/VwwCqBIYNXeyNQ...
I'm curious, why wait so long to publish this? The incident was in 2023.
Total tangent, but I got to ride in some of these on a recent trip to India and I was really impressed with the build quality and utilitarian usefulness of the design.
This might be the first time I felt disappointed and sad reading an article like this. The commented username and password felt like something from an early 2000s tv show with the tech guy doing “hacking”.
Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.
This is embarrassing.
He would have had better results if he said "do the needful" in his first email to them.
Woah Tata is everywhere, weren't they also the biggest youtube channel?
Are there any open source tools that scans the code and detects such gaffes
give this Uri Said by Deepak Gupta
protip: never trust the client
[dead]
[dead]
[dead]
[dead]
[flagged]
Superpower by 2027.
Users in India wouldn't care that much about privacy of their data as much as the Western folks do. This reduces the importance of this whole episode and I don't think this news flashed across TV screens or caused a debate anywhere.
India is a karma society. Karma doesn't mean upvotes. It means, you get what you destined for, or what you deserve. People take things in their stride and keep moving, while keeping their eyes wide open. When you are moving through a jungle, there is no point in blaming thorns or getting angry on wild animals.
> As recently seen with Intel, there seems to be a trend where developers will do this pointless client-side decryption. When the client has the key, it’s strange that anyone would think that would be secure.
I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.
When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.
Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.