I am not sure, but I read somewhere that the developer(s) used vibe coding to create the app so…
Comment on Women’s ‘red flag’ app Tea is a privacy nightmare
NeilBru@lemmy.world 2 days agoI’m certainly no web security expert, but shouldn’t a basic developer know how to secure said firebase or S3 buckets with STARTTLS or SSL certificates?
gian@lemmy.grys.it 2 days ago
Canconda@lemmy.ca 1 day ago
A lot of people have speculated that.
According to their statement their code was written in Feb/2024 and predates “vibe coding”
gian@lemmy.grys.it 21 hours ago
What intrigue me is this:
I’m confident vibe coding was not to blame in this particular case,
So they used vibe coding, they are only saying that they think/hope that it is not the cause of the break (and maybe also of the second one)
And if vvibe coding is not caused then they are even more incompetent.
GissaMittJobb@lemmy.ml 1 day ago
SSL is not the tool you need in this case, although you should obviously already be running exclusively on encrypted traffic.
The problem here is one of access rights - you should not make files default-available for anyone that can figure out the file name to the particular file in the bucket. At the very least, you need to be using signed URLs with a reasonably short expiration, and default all other access to be blocked.
NeilBru@lemmy.world 1 day ago
As I mentioned in other comments, I am a noob when it comes to web-sec best practices, so please forgive what may be dumb questions.
Is it really just permission rights “over-exposure” issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?
Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?
nickwitha_k@lemmy.sdf.org 16 hours ago
As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.
There’s nothing to forgive. Asking questions and being curious is how you learn this stuff.
Is it really just permission rights “over-exposure” issue?
From what I’ve read, it’s more fundamental than that. It’s a basic architecture issue. The datastore was publicly accessible, which it should never be. If they had it setup according to best practices, with an API to proxy access and auth, the datastore’s permissions would be of minimal consequence, unless their network was compromised (still best practice to secure it and approach with a zero-trust mindset).
Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?
Generally, cloud datastores handle encryption/decryption transparently, as long as the account accessing data has authorization to use the key. They probably also didn’t have encryption setup.
Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?
Here are some more resources:
zqps@sh.itjust.works 1 day ago
It’s a little more complex than that. If you want the app on the user device to be able to dump data directly into your online database, you have to give it access in some way. Encrypting the transmission doesn’t do much if every app installation contains access credentials.
Obviously there are ways around this too, but it’s not just “use TLS”.
NeilBru@lemmy.world 1 day ago
Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that’s encrypted at that server and then decrypted on the database host?
Clearly my utter “noobishness” is showing, but at least it’s triggering a slight urge to casually peruse modern WebSec production workflows. I am but a humble DNNs-for-parametric-CAD-modelling (lots of Linear Algebra, PyTorch, and Grasshopper for Rhino) researcher. I am far removed from customer-facing production environments, and it shows.
Any recommendations on literature or articles on how engineers solve these problems in a “best practices” way that you can recommend? I suppose I could just look it up, but I thought I’d ask.
nickwitha_k@lemmy.sdf.org 1 day ago
You’ve got the right ideas. Noone should ever be storing any password in plaintext. It should always be hashed and the hash stores. That’s like WEBDEV99 (remedial course, not even 101).
Really. Despite your stated “noobishness”, you basically landed in the territory of best practices right of the bat.
If you’re looking for a good source of best practices, the CIS benchmarks are great. www.cisecurity.org
NeilBru@lemmy.world 1 day ago
Brother, I need the “remedial” lessons since I self-host a lot of my experimental DNN solutions on a GPU cluster served via CasaOS/Ubuntu-Server LTS.
I’ve followed basic tutorials about nginx, end-to-end encryption, and DNS, but I need more knowledge and training about the theory behind modern security best practices. I think I’m doing okay but I have this ever-present anxiety that I’ve overlooked something and my ass (i.e., sensitive data) is really just hanging out in the wind.
Thank you for your recommendation.
Chulk@lemmy.ml 1 day ago
Wouldn’t some sort of proxy in between the bucket and the client app solve this problem? I feel like you could even set up an endpoint on your backend that manages the upload. In other words, why is it necessary for the client app to connect directly with the bucket?
Maybe I’m not understanding the gist of the problem
zqps@sh.itjust.works 23 hours ago
Exactly, it’s not necessary. It’s bad / lazy design. You don’t expose the DB storage directly, you expose a frontend that handles all the authentication and validation stuff before accessing the DB on the backend. That’s normal Client-Server-Database architecture.
nickwitha_k@lemmy.sdf.org 1 day ago
Yeah. You also landed on a correct thought process for security. Cloud providers will let you make datastores public but that’s like handing over a revolver with an unknown number of live chambers and saying “Have fun playing Russian roulette! I hope you win.” Making any datastore public facing, without an API abstraction to control authN and authZ is not just a bad practice, it’s a stupid practice.