We must pay tribute to the specialists of Cyan - they reacted very quickly and put everything on the shelves. Here are their explanations without changes:
Oleg Maslennikov, Architect of Cyan Security:
โI am engaged in security in Cyan, I would like to draw your attention to a couple of factual and technical errors in the article. First, it is argued that the data โflies awayโ and is processed by an overseas service. This is not true. We use Sumsub, a global organization with HQ in London and offices in PM in Russia, operating in accordance with the laws of the Russian Federation.
Russian passports are processed by the company's Russian legal entity, Digital Security Technologies LLC (sumsub.ru).
Storage information:
- Link to the relevant section of the site: sumsub.ru/security
- Storage according to the requirements of the RKN: in accordance with the notification sent to the RKN, personal data is stored in the data center of the Selectel company.
- Digital Security Technologies LLC is included in the register of PD Operators of Roscoomnadzor.
Secondly, about the fact that the data goes to a server that is physically located in America. Sumsub uses the CloudFlare system to protect sites and services. CloudFlare is a proxy, so they always have the same IP, but the data route goes to the nearest DC. There are two such DCs in Russia - in Moscow and St. Petersburg. You can easily check this route with traceroute. "
I will add that the security department of cian.ru turned out to be surprisingly open and ready to discuss security issues.
TL; DR When uploading a passport to the site cian.ru, it "flies" to the foreign face recognition service at api.sumsub.com
Preamble
Hello again. Perhaps the tinfoil hat is pressing your head again, but there are questions and suspicions that I would like to share with you. In one of the previous posts , a strange and controversial "feature" in the mail.ru mailer was shown. A new day brought new discoveries. This time, the well-wisher wished to remain anonymous. But thanks anyway for sharing the texture.
Cian.ru is a site positioned as "a reliable database on the sale and lease of residential, suburban and commercial real estate" and belongs to CIAN. Group ". The resources of this company are quite popular. The company declares that it is the โLeader of online real estate in Russia (in terms of the number of visits to the cian.ru website by Internet users according to LiveInternet data in the Real Estate section as of March 12, 2020). All this is in the basement of the site. Another thing is interesting.
A couple of years ago, questions began to appear on the Web regarding a new requirement from the resource: the user must upload his passport. A quick google leads us straight to the reference section , which lists the necessary steps for identification and explains why it's good.
However, users expressed concerns (one , two , three , etc.), because the dataset consists of at least passport data + a scan of the RF passport + a photo with an open passport in hand. This is for individuals. If you are an individual entrepreneur or a legal entity, you need even more data.
But enough of the lyrics. Let's see what happens if the user just submits an ad for the sale of an apartment.
Fable
We will watch the actions through our DLP. Interception from the HTTPController and MonitorController modules is of interest primarily. I think the name makes it clear that each of them intercepts. I apologize in advance for the quality of the screenshots. At the moment, none of the employees is selling an apartment, so they could not fully reproduce the case. We will show and explain on the "combat" system.
So, let's sort the interception from two channels by time in order to clearly see the chronology of actions.
Action 1. A person visits cian.ru and starts submitting an ad. It can be seen in the interception on http that the photos flew. 4 pieces (lines 6-9 in the screenshot).
You can immediately, without leaving the checkout, look at the attachment that flew to cian.ru. We make sure that photos of the interior of the apartment are loaded.
Interception of MonitorController (line # 10) confirms everything. The browser is visible, 4 uploaded photos are visible, the same photos are visible in the ad body.
Action 2. An interesting moment comes. After uploading a photo, different packages fly to different places. Something on the cyan api, something on mail.ru, something on facebook. What for? I do not know. But no obvious crime was found here. Finally, there comes a point where the identity verification step appears.
Some readers may be wondering, how is it so successful and at the right time the system makes screenshots? It's simple. MonitorController has an option "Make a screen when changing the active window". Here we see just such a situation: a person presses a button to add a photo, a window opens, the system reacts. No witchcraft.
Let's take a closer look at the screen.
If you followed closely, you might remember that this screen was on line # 27. What's next in chronology? Line # 28 is in a hurry to kill the intrigue - the man added his passport. But!
Just look
The last hope remains. Maybe this service processes images in Russia? I would like to dramatically throw evidence into the hall, but to be honest, you have to be it to the end. In this case, our DLP fixed the proxy server address as the destination IP.
Therefore, I suggest you make sure for yourself when your passports fly away when submitting ads. For my part, I can enter the "ping โa" command, which issued "104.26.10.41".
In general, on this bright sysadmin holiday, which is also Friday (!) I would like to believe that I was mistaken or misunderstood somewhere. Well, in that case, I will be ready to sprinkle ashes on my head, publicly apologize and teach materiel. In the meantime, I urge the community to independently verify the stated facts and, if possible, share the results.