Security concerns of group buying websites

During the Golden Week of the 11 S, the group buying market was once again on fire. Group Buying promotions such as "smashing golden eggs" and "receiving red packets" were in full swing. However, according to the China Group Buying website security detection report released by the 360 security center today, the security of group buying websites in China is currently uneven. About 70.6% of websites have high-risk vulnerabilities, mainly for small and medium group buying websites, hackers may exploit this vulnerability to break the golden eggs, receive red packets, or even steal the passwords and consumption creden。 of other group buying users.

To protect the personal information and consumption security of group buying users, Qi Xiangdong, president of 360, announced that website security has always been an important standard for 360 Group Buying navigation and recommending group buying websites. In addition, the 360 website security detection platform (http://webscan.360.cn) will also provide free Vulnerability Detection and repair suggestions for all group buying websites to help them fully fix vulnerabilities.

Qicheng group buying website has high-risk Vulnerabilities

On June 23, 360, the security center released the China Group Buying website security detection report. The report shows that the proportion of websites with high-risk vulnerabilities among nearly 360 Group buying websites authorized for 300 of Security Detection has reached 70.6%, mainly for Small and Medium websites; the security status of well-known large group buying websites is relatively good, and the proportion of websites with high-risk vulnerabilities is 25.0%.

According to relevant data, despite the recent collapse of a large number of group buying websites, the number of group buying websites in China is still more than 5000. For example, based on the proportion of 360 of Website Security Detection results, the number of group-buying websites with high-risk vulnerabilities in China exceeds 3500! Qi Xiangdong believes that a large number of "micro" Enterprises flood into the group buying market, and they do not have the ability to detect and fix vulnerabilities, which is the main cause of the existence of high-risk vulnerabilities on the qicheng group buying website.

According to the staff of the 360 website security detection platform, many group buying websites have weak security awareness. For example, when using open-source Group Buying Programs, the vulnerabilities are ignored, as a result, hackers can log on to the website administrator account without a password and tamper with the website page. With the above vulnerability, hackers can also log on to other group buying user accounts to view consumption records or steal consumption creden. Statistics show that the proportion of these group buying websites is as high as 41.5%.

Risks of group buying websites: data loss and fraudulent use of user consumption creden

A technical blog once revealed that it had informed a group buying website three times to fix vulnerabilities. Take the "invite friends and drop eggs" activity as an example. As long as you use the vulnerability as an automated tool, you can get more than 4 billion chance to drop eggs, in the test, he smashed more than 2000 golden eggs (each of which is equivalent to a coupon of 10 yuan ).

Compared with activity vulnerabilities such as "golden eggs", website vulnerabilities are obviously more serious. According to analysis by 360 engineers, Group Buying website vulnerabilities may lead to three types of risks: first, leakage of user passwords, consumption creden;, and other consumer data; second, malicious tampering of website homepage, product prices, and other webpage content; third, the website server is implanted with a script backdoor, and the entire website or even the server system is completely controlled by hackers.

360 The Group Buying website security detection report shows that a group buying user generally registers an account with a common email address and password and performs online payment through the product page. The economic benefits of group buying users are more likely to attract hacker attacks. Previously, the marketing activities of a group buying website were interrupted by hackers, which not only lost millions of yuan, but also affected the reputation. According to industry insiders, the user database of a group buying website is connected by hackers. It is recommended that users change their passwords on a regular basis.

As of press time, the group buying websites tested by the 360 website security detection platform had fixed the vulnerabilities one after another. Qi Xiangdong, president of 360, said that as an important e-commerce carrier, group buying websites may suffer irreparable loss of business and user property even if they only have minor negligence on security issues. In addition to recommended products for users, Group Buying navigation 360 also ensures that users shop and consume products on a safer group buying website.

It is reported that any website only need to apply for and pass the authentication, 360 website security detection platform (http://webscan.360.cn) can provide completely free Security Detection and repair suggestions.

Figure 1: Group Buying website vulnerabilities can easily cause the risk of user privacy and property loss

Figure 2: Top 10 common vulnerabilities of group buying websites in China (Data source: 360 website security detection platform under the 360 Security Center)