Hello again. Perhaps the tinfoil hat is pressing your head again, but there are questions and suspicions that I would like to share with you. In one of the previous posts, a strange and controversial “feature” in the mail.ru mailer was shown. A new day brought new discoveries. This time, the well-wisher wished to remain anonymous. But thanks anyway for sharing the texture.
Cian.ru is a site positioned as “a reliable database on the sale and lease of residential, suburban and commercial real estate” and belongs to CIAN. Group “. The resources of this company are quite popular. The company declares that it is the “Leader of online real estate in Russia (according to the number of visits to the cian.ru website by Internet users according to LiveInternet data in the Real Estate section as of March 12, 2020). All this is in the basement of the site. Another thing is interesting.
A couple of years ago, questions began to appear on the Web regarding a new requirement from the resource: the user must upload his passport. A quick google leads us directly to the help desk section, which lists the necessary steps for identification and explains why it is good.
However, users expressed concerns (time, two, three etc.), because the dataset consists of at least passport data + a scan of the RF passport + a photo with an open passport in hand. This is for individuals. If you are an individual entrepreneur or a legal entity, you need even more data.
But enough of the lyrics. Let’s see what happens if the user simply submits an ad for the sale of an apartment.
We will watch the actions through our DLP. Interception from the HTTPController and MonitorController modules is of interest primarily. I think the name makes it clear that each of them intercepts. I apologize in advance for the quality of the screenshots. At the moment, none of the employees is selling an apartment, so they could not fully reproduce the case. We will show and explain on the “combat” system.
So, let’s sort the interception from two channels by time in order to clearly see the chronology of actions.
Step 1. A person visits cian.ru and starts submitting an ad. It can be seen in the interception on http that the photos flew. 4 pieces (lines 6-9 in the screenshot).
You can immediately see the attachment that flew to cian.ru without leaving the checkout. We make sure that photos of the apartment interior are loaded.
Interception of MonitorController (line # 10) confirms everything. The browser is visible, 4 uploaded photos are visible, the same photos are visible in the ad body.
Step 2. An interesting moment comes. After uploading a photo, different packages fly to different places. Something on the cyan api, something on mail.ru, something on facebook. What for? I do not know. But no obvious crime was found here. Finally, there comes a point where the identity verification step appears.
Some readers may be wondering, how is it so successful and at the right time the system makes screenshots? It’s simple. MonitorController has an option “Screen when changing active window”. Here we see just such a situation: a person presses a button to add a photo, a window opens, the system reacts. No witchcraft.
Let’s take a closer look at the screen.
If you followed closely, you might remember that this screen was on line 27. What’s next in chronology? Line # 28 is in a hurry to kill the intrigue – the man added his passport. But!
what canadians do! The passport flies to api.sumsub.com. You can make sure by opening the file itself in the interception.
The last hope remains. Maybe this service processes images in Russia? I would like to dramatically throw evidence into the hall, but to be honest, you have to be it to the end. In this case, our DLP fixed the proxy server address as the destination IP.
Therefore, I suggest you make sure for yourself when your passports fly away when submitting ads. For my part, I can enter the “ping -a” command, which issued “188.8.131.52”.
In general, on this bright sysadmin holiday, which is also Friday (!) I would like to believe that I was mistaken or misunderstood somewhere. Well, in that case, I’ll be ready to sprinkle ashes on my head, publicly apologize and teach materiel. In the meantime, I urge the community to independently verify the stated facts and, if possible, share the results.