12306 site's largest user information disclosure event

Absrtact: This is not the first time that 12306 websites have had a user information disclosure incident, but the biggest one. 12306 The official website announced on the day that, after careful verification, this disclosure information all contain the user's plaintext password. 12306 site database All user passwords are multiple times

This is not the first time that 12306 websites have had a user information leak, but the biggest one.

12306 The official website announced on the day that, after careful verification, this disclosure information all contain the user's plaintext password. 12306 website database All user passwords are multiple encryption of the non-plaintext conversion code, the Internet leaked user information through other websites or channels outflow. At present, the public security organs have been involved in investigation.

December 25 10:59, Cloud Network Publishing vulnerability reported that a large number of 12306 user data on the network spread wildly.

At this time, it is the key time to buy tickets during the Spring Festival, 12306 site visits every day is amazing.

Cloud NET founder Shadi told the 21st century economic reporter, "This is the cloud net history, the first time such large-scale railway user data leaks." ”

It is understood that the leakage of the incident was leaked data up to 131,653, including user accounts, plaintext password, ID card and mailbox and many other information.

Cloud Network is a platform focused on Internet security vulnerability reporting. Shadi said that cloud nets every day to monitor the data, 12306 is only one of today's content. But previously, they have reported 12306 of websites leaking user information.

To this user information leaked incident, the network discussion is enthusiastic. Some netizens are worried that the leaked information contains information such as bank cards used in the process of buying tickets. Professionals suggest that if users use the same username and password on 12306 sites on other sites, they should change the password.

A number of security experts interviewed by the 21st century Economic report said the incident analysis that this is likely to be the hacker "hit the library" behavior caused by, rather than 12306 of the site directly leaked, but the same description of 12306 sites still have security vulnerabilities. However, some experts believe the cause of the incident is still unknown.

On the impact of this incident, Zhu, a researcher at the Center for Communication Law, said that if 12306 is caused by negligence of information disclosure, the judicial practice will use the principle of fault presumption to determine tort liability, "that is the presumption of 12306 existing fault, then 12306 to prove that they have done the security responsibility", Zhu said.

What is the reason for the leak?

Cloud Network founder Shadi told the 21st century economic reporter, December 25 10:59, after the incident, the cloud net immediately checked, confirmed the authenticity of the message after the issue was released.

Shortly after 12306, I knew the news and contacted the Cloud network, saying that he would investigate the matter carefully and publish the announcement later.

14:15, cloud network through Sina Weibo released a message that the data suspected hackers hit the library after the collation, rather than 12306 direct leakage, please change the password in a timely manner and cautious use of ticket tools.

Shadi also to the 21st century Economic report reporter said, the so-called "pool" is the hacker through the collection network has leaked user name and password information, generate a corresponding "dictionary table" to other sites to try to log in bulk, get a group of users can log in user account and password.

After the login user's backstage, may exist the mailbox, the mobile phone number, the ID card number is leaked, the accounting integral and the account balance loss and so on many kinds of risks.

"If users modify the original password in a timely manner, you can circumvent the risk of collision." "But that doesn't mean your information is completely safe," Shadi said. ”

Shadi told reporters that in addition to the pool, there is another way called the Drag library. Hackers directly download the entire database of a platform through technology. "But this 12306 leak can exclude the possibility of a drag library. ”

In the industry, "drag library" refers to the invasion of valuable Web sites, the database all stolen behavior. After stealing the data, the hacker will clean the data through a series of technical means, and convert the valuable user data in the black market into a transaction, this is "wash the storehouse". Finally hackers will get the data on other sites to try to log on, called "Crash Library."

Cai, deputy general manager of the Wave Electronic information Security division, said to the 21st century economic reporter, "there is a very mature industrial chain in the black city of the Internet, and there is a very mature process of forming interest: drag, sink and pool." ”

In response to the leak, security researchers at the 360 Internet Security Center said in a written response to an interview letter from the economic reporting economy in 21st century that "the 12306 Web site information leak was caused by hackers crashing into the library." ”

The reason is that, after their safety researchers found that the first, almost all 130,000 12306 account passwords, can be in the previous game sites leaked password library to match the corresponding records. Description hackers use a number of game Web site password database on the 12306 launch "Crash Library" attack, screening out more than 130,000 users using the same account password user data. Second, through a sample of 12306 of the leaked data, more than half of the users did not use any software to grab the tickets, while the rest were using different ticket-grabbing software.

In the aftermath of today's leaks, it was circulated on the Internet that 18G of complete 12306 databases had been leaked, but no one has found the database online yet.

After the leak, 12306 issued a notice that the user information leaked online through other websites or channels, the reason is that 12306 of the site is using a number of encrypted passwords, and the leak is plaintext password. This, according to analysts, also explains from another side that the passwords may not have been leaked from 12306 websites.

According to the Black Cloud official website released the source, the loophole has been entrusted to the third party manufacturer National Internet Emergency Center processing. December 25, the National Internet Emergency Center for the 21st Century Economic report reporter said: "The incident is under investigation, the results of the official website issued." ”

A network security researcher told the 21st century Economic report that 12306 websites knew the story the first time and posted a bulletin, but a few hours later, those username and password can also be logged in, and may be used to change the password of others, find someone else's phone number, or even help others refund, " Why do they not emergency through technical means, SMS to inform users, the disclosure of user passwords to force changes or remind customers to change? ”

Why is there such a big loophole?

However, Shadi said, "the matter is not yet conclusive." ”

In the 12306 site in the announcement of the above notice, but also specifically remind passengers not to use Third-party ticket software to buy tickets. This led to suspicion that the leak was the result of a third-party robbery software.

A long-time researcher on the software to brush the tickets told the 21st century Economic report that the current ticket-grabbing software is developing at an extremely fast pace, but there is no clear profit model, so the possibility of leaking data from Third-party software remains.

A technical person engaged in software program development told the 21st century Economic report reporter, this kind of ticket-grabbing software technical requirements are generally not high, if the third party does not have strict protection measures, the user information is unsafe hidden dangers.

For this, 360 company related personnel written response said, 360 rob the king based on 360 Security browser, 360 security browser Internet security technology and measures can guarantee the security of the ticket king. They believe that the 12306 data leakage incident and the ticket-grabbing software is irrelevant.

Internet security experts are more concerned about, if it is really a leak caused by the database, 12306 site Why would leave such a large loophole?

"If this crashed into Google, Microsoft, it will not be successful." Because the mature Web site will be on the landing server set up two times authentication program. Many domestic web sites in order to save costs, and did not set up this program. Tiejun, a leopard mobile security expert, told the 21st Century Economics report. It is not clear, however, whether the vulnerability is related to the validator setup.

According to a professional who knows more about cloud networks, 12306 of websites have been exposed to 50 leaks on cloud Web sites since February 2012, involving 7% of leaks of user data and sensitive information, and 44% of vulnerabilities that could indirectly lead to information leaks. Examples include command execution vulnerabilities and SQL injection vulnerabilities.

The vulnerabilities that have been detected have lasted a long time. The professionals say they do not understand why these loopholes have not been remedied.

360 security expert Anyan also thinks, 12306 website is crashed the storehouse, the explanation 12306 account security system still needs further consummation, discovers as soon as possible and blocks the hacker to hit the storehouse attack.

According to the 21st Century Economic report, 12306 sites were developed by the Iron and Steel Academy, which is the former unit of the Ministry of Railways.

A person engaged in the Gaotian industry reported to the 21st century Economic report that, in fact, early in the Iron Institute has found the internal problem, but has not been fully resolved until now.