Chengye, Xiao, Ctrip, the bitter truth behind the leaks

Yeyaming never thought that his ctrip gets upgrade to its OpenStack team caused great pressure. Since taking office, the Ctrip new technical vice president has made sweeping changes to the entire technical framework.

Chengye, Xiao

A credit card payment "loophole" disclosed on a dark cloud platform has tripped the ambitious Yeyaming. This vulnerability hash is: bf9165488f5e2ea3ca02ec6b310446b0.

Although in the past, cloud network has been continuously disclosed Jingdong Mall, Alipay, NetEase and other domestic famous Internet enterprises in the user information security protection of high-risk vulnerabilities. However, the detailed description of the Ctrip Vulnerability-"The Ctrip user name, identity card number, bank card category, bank card number, bank card CVV code, etc., which is paid by credit card, may have been read by hackers", provoking the public's sensitive nerves.

For the credit card of this "blockbuster loophole" has been a media exposure, online OTA website without card without a password to pay the industry is a common problem, but it makes Ctrip Lok Ma.

Ctrip's technology research and Development Department and Information Security Department in the industry has a reputation, completely self-built Ctrip IT system including website system, online trading system, procurement system, such as child business system, from the complexity, can be comparable to the only Taobao.

But the key is that there is a subtle game relationship between the Technology Development Department and the Ministry of Information Security, and Ctrip's loophole originates from the accidental mistakes of the department employees, and is the inevitable result of the vicious competition of OTA (online travel agent) enterprise.

Their explanation

Online tourism market multifaceted, occupy the largest market share of Ctrip as a pioneer once lead, live a single big day. However, as the Art Dragon, where to go to the rise of competitors, its leading position is already in jeopardy. Business model, Ctrip still relies on the establishment of the first more than 10 years ago to establish a call center business volume, and the old rival art Dragon has long been in the revolution, cut off the line card issuing channels to fully develop online sales.

And Ctrip remained on the stand until the Yeyaming appeared.

As the boss of OTA industry, after more than 10 years of development, Ctrip gradually build their own moat-a powerful IT system. And this core department has been quite mysterious, financial weekly (micro-letter public number: Money-week) reporters turned to find insiders also refused media interviews. Financial Weekly reporter So many inquiries, trying to uncover its little-known corner.

The IT system of Ctrip is complex and huge, and it is built entirely on the inside step by step. Yeyaming, after the arrival, in Ctrip completed several important technical improvements. According to the China Software Development Alliance CSDN Public data show, Ctrip technical upgrading is arranged in the front and rear side respectively. At the front of the Web site to make the page revision, the Open API (open application programming Interface) in the background opened the platform resources, at the same time set up a data center for large processing.

Cloud technology is just a Yeyaming, his greater ambition in the company's technical framework of innovation, the current Ctrip has adopted OpenStack this cloud computing platform to build.

He is in a long-term bureau.

In Yeyaming eyes, the wireless end of the business growth in the future will be far more than the call center. Under the new architecture, the entity machine can be completely virtualized. For example, add 300 people, generate 300 virtual machines on it, although the number of increase, but the number of management machines has not changed, which will improve efficiency.

Can imagine, if all this is foolproof, this is called Yeyaming in Ctrip's great campaign.

However, the financial weekly reporter access to the Chinese Software Development Alliance CSDN Public Information found that Ctrip OpenStack team total of less than 20 people, of which the core technical personnel only six or seven, compared to the huge call center and wireless terminal business staff is bucket.

Sink, ruined in the nest.

This is the building of a large system of departments, but not long ago because the technical staff were not careful, hackers caught the handle.

On the afternoon of March 22, cloud Platform released a message that the system has technical loopholes, can lead to user personal information, bank card information and other leaks. 11 o'clock that night, Ctrip technicians to confirm the vulnerability. 23rd Morning 7, Ctrip official said the loophole has been repaired.

According to Cloud network, Ctrip will be used to deal with user payment of the service interface to open the debugging function, so that part of the bank to verify the card owner interface transmission of packets are directly stored in the local server.

and Ctrip public relations for the cause of the event to accept the financial weekly reporter said: "The loophole is Ctrip technicians in a server for system problems, leave the temporary log was not deleted in time." ”

Regarding the technical investigation, the related website technician has carried on the detailed description to the financial weekly Reporter: "All websites at this point are similar, the website technician will periodically scan each server, mainly in order to discover the latent loophole, and carries on the patching." Such scans, some of which are done by themselves, are scanned by Third-party agencies, which issue lists of vulnerabilities and fix opinions. ”

The Department of this scanning vulnerability is also known as the Ministry of Information Security or risk control department, within Ctrip has an independent information safety department specifically responsible for vulnerability scanning and troubleshooting, but the vulnerability of the third party platform Cloud Network released.

Ctrip said to reporters: "This part of the information is also in the encrypted state, even if you get the information to be read through the crack." "It's not a difficult task for hackers," he said.

At the same time, the financial weekly reporter call another OTA enterprise, in its Web site with the same as Ctrip without card without a secret can be successful. Its CEO said: "We are not in the clear, we are encrypted save, Ctrip this case we also read, but the specific situation is not very clear." "For customer information that was not paid at that time, there is no provision for the preservation of customer sensitive information 7 days, specifically by the research and development and audit law of the Wind control department."