Cloud vulnerability Release Report message, Ctrip leaked user credit card payment loophole

In 2014, March 22, the afternoon of the 18:18 points, Cloud vulnerability platform released data message that Ctrip system storage technology loopholes, may lead to user personal information and bank card information leaks. According to the survey of cloud platform, Ctrip opened the debugging function to the service interface for processing user's payment, so that some of the packets that were transmitted to the bank to verify the owner interface of the card were kept directly in the local server. And the dark clouds report says the leak information includes the user's name, identity card number, bank card number, bank card category, Bank card CVV code (that is, a 3-bit or 4-digit number generated by the bank card number, expiration and service constraint code), and a bank card 6-bit bin ( 6 digits for payment, the information is likely to be stolen by hackers.

The day of 23:22 points, Ctrip back to the cloud, Ctrip technicians in the disclosure after the leak has confirmed the vulnerability, and within two hours to repair the vulnerability, and the cloud platform to find the vulnerability information expressed thanks. The user affected by this vulnerability is generally a recent segment of the transaction customer, until the vulnerability was released before the user was affected by the vulnerability caused by the corresponding loss of property found. Ctrip Network to Information security always very much, if the vulnerability of the discovery of new progress will be continued to inform.

It is understood that the cloud is a manufacturer and security researchers in the security problem Feedback platform, previously issued a number of domestic enterprise information system technology loopholes, to promote the enterprise to repair loopholes.

Cloud vulnerability Platform Report full text

Defect Code: wooyun-2014-54302

Vulnerability Title: Ctrip Security payment log can traverse download led to a large number of users bank card information leakage (including cardholder name ID card, bank card number, card CVV code, 6-bit card bin)

Related manufacturers: Ctrip Travel Network

Vulnerability Author: Guinea pig

Submitted Time: 2014-03-22 18:18

Vulnerability type: Sensitive information disclosure hazard

Grade: High

Vulnerability status: Vendor has confirmed

Source of vulnerability: http://www.wooyun.orgTags

Vulnerability Details Disclosure Status:

2014-03-22: Details have been notified to vendors and are awaiting vendor processing

2014-03-22: The manufacturer has confirmed that the details are only disclosed to the manufacturer

Brief description: Ctrip will be used to deal with user payment of the service interface to open the debugging function, so that all the banks to verify the card owner interface transmission of packets are directly stored in the local server.

(similar to IIS or Apache access logs, log URL post content).

At the same time because the server that holds the payment log does not have a strict baseline security configuration, there is a directory traversal vulnerability, which results in all the debugging information in the payment process can be read by any hacker.

The information leaked includes the user's:

Card Holder Name

Cardholder ID Card

Type of bank card held (for example, China Merchants Bank credit card, BOC credit card)

Bank card number

Bank card CVV Code

6-bit bin with bank card (6 digits for payment)

Loophole hash:bf9165488f5e2ea3ca02ec6b310446b0 copyright NOTICE: Reprint Please indicate the origin of the pig

--------------------------------------------------------------------------------

Vulnerability response Vendor Response: Hazard Rating: High

Vulnerability Rank:20

Confirm Time: 2014-03-22 23:22

Manufacturers reply: Ctrip has confirmed the vulnerability, and in two hours in time to repair, the cloud platform to find the vulnerability information expressed thanks. The user affected by this vulnerability is a recent part of the transaction of customers, there is no user is affected by the vulnerability caused by the corresponding loss of property found. Ctrip always attaches great importance to information security, for this vulnerability event if there is new progress will continue to inform.

Latest Status: No

Hidden dangers already buried: Ctrip is suspected to store user credit card information

The bug's publisher, Ctrip, posted a manuscript in the commentary, "the risk of leaking credit card information from a suspected store user," which was published in 2014-01-10.

In this article written by China Network Financial Center said, Ctrip users reflect, in Ctrip purchase products, only simple information to check to complete the transaction. Mr. Zhang said that the first time he held a credit card in Ctrip consumption, the need to provide credit card type, card number, validity period, CVV2 code (that is, credit card verification code), such as a series of complete information, and then submitted to pay. "However, when I use this credit card for the second time in Ctrip, just provide four digits and CVV2 code after the card number, Ctrip will complete the payment operation." If the original (Ctrip) did not store information in the system, how did it complete the payment? Mr Zhang says such "convenient" operations have made him more concerned about his credit card security, "As long as you know this credit card number and CVV2 code, you can use it to consume, do not need any dynamic or other forms of password, my capital security by WHO to protect it?

Also, consumers say, Ctrip's artificial customer service will directly ask users for credit card validity, CVV2 code and other sensitive information. China Network Financial Center reporter to buy tickets by telephone, dialed the Ctrip customer service telephone, in the payment link, the reporter according to the voice request enters the credit card number, the customer service personnel oral questioning reporter this credit card validity period and CVV2 code, when the reporter puts forward the sensitive information inconvenient to disclose, the customer service personnel says "If does not provide, Can not complete the reservation "and stressed that Ctrip will not store credit card number information. In addition, the reporter in search of relevant information found that many consumers have experienced credit card theft of the event, the amount from 20,000 to 5 million yuan range.

According to the industry, credit card information mainly includes card number, validity period, CVV2 code, which printed in the card signature area of the 3-bit CVV2 code is also known as the "second password", mastering the card's transaction authorization, that is, as long as the correct CVV2 code, you can complete the payment link. China Network Financial Center reporter in China UnionPay Risk Management committee issued in 2008, "UnionPay Card receipt Agency account information security management standards" see the following expression: Each receiving system can only store the most basic account information necessary for transaction clearing and error processing, and shall not store bank card track information, card verification code, Personal Identification Code (PIN) and card expiration date.

Ctrip North China Public relations in charge of the Chinese network of financial center reporters said that Ctrip use of credit card payment method in line with international practice, "in the years before we have MasterCard, Visa and other card organization certification, this shows that These international financial institutions have a recognised attitude to Ctrip's risk control capabilities and security secrecy, or they will not authorize us. ”

When the reporter asked Ctrip customer service personnel oral credit card validity, CVV2 code and other sensitive information, how to protect the internal staff do not leak, the official said the move is also the international common practice, "since the company used this way, certainly the risk of adequate control capacity." "And for reporters to" whether the Ctrip violates UnionPay regulations, in the background to save the user credit card-related information, the other party did not give a clear answer.

The official stressed that Ctrip never appeared in the case of credit card theft, "because we are the main push is the tourism products, the reservation needs to provide customers with identity card numbers and other personal information, so once the brush, can also quickly detect (suspect)." "But there is a consumer to the reporter, card thieves often in the internet forum to sell Low-cost tickets, using the information provided by the Buyer ID card to complete the consumption," even if the police find the actual use of air tickets, people are cheated victims, how to investigate the responsibility?

Comments: Ctrip should not save CVV code anyway

The report of Ctrip's payment information is released by media, which has aroused many discussions and concerns:

It commentator @ Bing Uncle said: Thank you @ Cloud-Vulnerability Report platform Ah, Uncle Bing finally felt the Ctrip five-star rapid customer service. (I spit Groove, ctrip in hand, said go go, walk the fastest is the password, within 1 minutes, @ Ctrip customer service on God replied) PR higher than the programmer level, point a praise bar. Ctrip is typical of the world, the passengers only want you to help solve the # Where to sleep # (this weekend, the Bank customer service is the most difficult) Ctrip must be compensated, the girl lip lipstick said no. (The pig-like teammate Cention, the overtime lying gun)

Auto Founder @ Lee wanted the first time on Sina Weibo to respond: if it is true, the market value of Ctrip is estimated to lose half of it, short Ctrip's cool. Without a basic sense of security, do not secretly save the information that should not be stored. Ctrip leaked the user's credit card information (I only know that Ctrip secretly saved the information), Youku paid members (I only know that Youku's customer service is just the page decoration) system also successfully collapsed today.

@ Li think: stored the user's credit card CVV, also leaked. The former is the basic ethical problem of the enterprise, the latter one is the security issue. Some information can be saved, some information could not be saved in any case, Ctrip saved in any case should not save the CVV, which is equivalent to your credit card password stored and leaked. The need to enter CVV and storage CVV is two concepts. At this time also help Ctrip talk, is typical of being sold also help counting money. Trading site CVV the equivalent of an hourly job that secretly matches your home key, and he knows all about your family.

Sina Weibo Netizen said @ Pig elder brother: Ctrip risked being short selling risk for the central bank online purchase limit to provide support evidence samples! Are you starting to worry about online payments from Non-bank systems? 4, do you think that Ctrip to allow the central bank to pay online, transfer and other restrictions seem to have made sense to have Weibo netizens ridicule @ more vulgar: Ctrip to the central bank is true love AH ......

Sina Weibo net friend @ Flower Total lost golden to Ctrip credit card leaks carried out a detailed comb, and answered Ctrip users should not change the question of credit card:

What happened to Ctrip?

"All", this is the only thing I feel about Ctrip this evening. In the beginning, my first reaction was that Ctrip's credit card data was being towed, and all the credit card data on Ctrip were at risk of leaking. Many friends in the micro-letter group chat with each other to remind and ask, "There is no Ctrip credit card", "quickly to write off all in Ctrip used credit card", "China Merchants Bank has opened the relevant credit card cancellation card for the green channel", and so on news.

Unfortunately, put aside the technical bug problem, Ctrip in this crisis performance is not professional, given the information is not convincing. Conceal the attitude, but let more people in the heart, sit real "Ctrip used credit card is not safe" idea.

It is also regrettable that the technology media, in the case of Ctrip's credit card door, is like the performance of the MH370 incident. Instead, it is the report of the Caixin network, which explains some key technical issues and quotes the microblog analysis of Media V CTO Junin, which provides relevant knowledge and analysis.

What happened to Ctrip's credit card data in the past few days? I have used the credit card on Ctrip, do not have to change the card? Ctrip's mistakes are unforgivable? None of these core questions were answered.

1. Ctrip Credit card door, what happened?

Description of the cloud, "the flaw comes from a service interface that handles user payments, which enables all packets that are transmitted to the Bank to verify the card owner interface to be stored directly on the local server. At the same time because the server that holds the payment log does not have a strict baseline security configuration, there is a directory traversal vulnerability, which results in all the debugging information in the payment process can be read by any hacker. ”

The description of the cloud is very technical, which is also the main reason why the public think that Ctrip's credit card data is leaking.

Please note that "all the debugging information in the payment process can be read by any hacker". In other words, Ctrip's credit card data does not have the risk of all historical data being towed, and only the data being paid can be stolen.

Only in response to the risk of cloud exposure, only from this loophole, until 11 o'clock on the night of March 22, Ctrip feedback has been fixed after the leak, this period of time in Ctrip paid credit card risk.

From here to Mao Yan, if you have not used Ctrip for more than a year, you should be safe only against cloud holes.

The message that individuals get from a non-isolated source is that this security vulnerability arises from the recent development of debugging.

I don't know how close this is in the near future. Ctrip announced the information is that March 21, 22nd, some customers are at risk.

Frankly speaking, most people should not believe, where there are such a coincidence of events, 22nd, the risk of the impact of two days. However, my personal sources tell me that this loophole appears initially within a week. As for why Ctrip published 21, 22nd two days of risk, is said to be the relevant log analysis results.

In combination, the individual for reference, if not in a week in Ctrip has paid behavior, just for the dark clouds of loopholes, your credit card should be safe. (This is only based on my personal message analysis.) )

2. Do I need to change my credit card immediately?

This is a difficult question to answer.

Personal suggestion if the use of Ctrip in a week, especially 21, 22nd two days of users, you can choose to change the card, and wait for Ctrip further public information.

More than a year of users who have not used Ctrip, there is no need to follow the booing.

A year to a week of users, personally think the risk is not big, but if you must be very tangled fear, then the temporary application freeze. If not frozen, then can choose to open consumer SMS reminders and other information to help strengthen security management.

3. Although I am a risk user, but I am lazy, do not want to change the credit card?

There is nothing that cannot be, just may face the risk. Management, there are three ways to deal with risk, avoid risk, reduce risk and accept risk. Not changing your credit card means you accept the risk.

If you really are really lazy, then it is recommended to set the net silver single consumption limit or limit, open SMS or micro-letter reminders to reduce risk.

4. Ctrip process, what is the problem?

Frankly speaking, Ctrip's statement does not give a risk hint, which is very unwise, and the results of Ctrip's statement is not transparent, it is difficult to convince people. Let's take a look at Ctrip's statement:

"After knowing the message, the company started the technical troubleshooting and fixed the problem within two hours of the release of the message." Ctrip thanked the cloud platform for discovering the vulnerability and would reward those who provided the vulnerability with information. For this vulnerability event, if new progress, Ctrip will continue to inform. may be affected by the March 21 and March 22 of some of the trading customers, there is no information related to the problem caused by the disclosure of customers and losses caused by the situation. The company will continue to conduct network security verification work, if a user due to this loophole caused property damage, Ctrip will compensate for losses. ”

(1) Ctrip did not reveal when the loophole was produced, then Ctrip 21, 22nd is very easy to be seen as a cover-up.

(2) Ctrip does not prompt the user the possible risk, but said that currently has not found cause loss, this some play with words game, shirk responsibility.

(3) Ctrip said if there is a user due to the damage caused by the flaw, Ctrip will be compensated. So what is the definition of this loss? The loss caused by the user's panic and change of card is the result of this loophole? According to the literal meaning of Ctrip, there seems to be no compensation, but users will accept it?

Ctrip, should be detailed to disclose the cause of the vulnerability, time, and prompts the user possible risks. At the same time, detailed explanation, why have entered these analysis, determined that these users may have the risk, Ctrip advised users how to circumvent or reduce the risk, after the occurrence of Ctrip can do for these users? If Ctrip wants to be a little more beautiful, it should bear the cost of the risk customers to change the card, the most incompetent to send a voucher what. Otherwise, users will only be in doubt away from Ctrip, if not believe, who can see the recent three days of the Bank of China Merchants Card change, you can know.

Note: The author's personal remarks do not represent the "Internet thing" view.