Ctrip apology loophole rumor, promise will pay in full

The late Saturday, the domestic network security problem feedback platform-Cloud (Wooyun) vulnerability platform released a message that because of Ctrip system storage technology vulnerabilities, user personal information, bank card information may be leaked. Ctrip yesterday apologized and promised that in the future, if a security loophole and cause user losses, Ctrip will give full compensation.

March 22 Night, Cloud vulnerability platform issued a message, Ctrip system storage technology loopholes, can lead to user personal information, bank card information and other leaks; The leak information includes user name, ID number, bank card category, bank card number, bank card CVV code (card number, Validity and Service constraint code generated 3-bit or 4-bit number, etc., the above information may be read by hackers. Cloud is a security problem between manufacturers and security researchers feedback platform, previously issued a number of domestic enterprise information system technology loopholes, to promote the enterprise to repair loopholes.

According to the industry close to Ctrip, the loophole occurred on 21st and 22nd, only in the evening of 22nd was found, so the two days in Ctrip transactions and use of credit cards to pay consumers may have risks.

Yesterday, Ctrip issued two statements on its official microblog to apologize for the incident, and said that in the future if the user loses due to the security loophole, Ctrip will assume full responsibility and pay the compensation.

Ctrip said that after the overnight technical investigation, the company has found problems in the cloud network two hours after the repair of this loophole, "after the investigation, Ctrip technology developers in order to troubleshoot the system, leaving a temporary log, due to negligence did not delete in time, at present, this information has been deleted." ”

For the general concern of the credit card security issues, Ctrip revealed that after the investigation, only the vulnerability found that the test download, the content contains a very small number of encryption card information, involving 93 of potential risk of Ctrip users.

"Ctrip Customer service has notified these users to change their credit card on March 23, and the bank will also assist users to change card procedures as soon as possible." Ctrip will give the 93 users 500 yuan per person as our gift card as compensation. As of March 23 22:00, did not receive Ctrip customer service Exchange card notification users, personal information is safe, need not worry. Ctrip said.

>> Analysis

does not involve Alipay

Cloud Technology Fang told reporters that the data involved only some credit card information, open Online payment function of the bank card and Alipay does not involve.

"The bank card and Alipay need to jump to the bank and Alipay page when paying, and each payment needs to enter the password of the card number, the safety factor is more secure." "Shanghai million-engine Business Consulting Co., Ltd. CEO Ruzenwang said."

According to a number of consumers who have used credit card payment, many electric business platforms only need to enter the bank card after 4 digits and CVV code to complete the payment. Ruzenwang said that this means that the Electronic Business platform on the server to save the user's key information, which is a serious violation of the behavior.