Ctrip vulnerability Exposure: Dialogue with white hat hacker

Ctrip vulnerability Exposure: Dialogue with white hat hacker

Last weekend was not peaceful.

March 22, 18:18. A vulnerability report, numbered 54302, was exposed on the Internet security issue Feedback Platform Cloud (wooyun.org), the publisher is the Black Cloud core white hat hacker "Piggy Man". The report shows that a flaw in Ctrip will lead to a large number of users of the bank card information leaked, and this information may directly lead to problems such as brush-stealing.

The news was quickly spread through the media, with more attention even than a later exposure of another news "Huawei headquarters server was invaded by the United States Security Bureau," also beyond the previously exposed some seemingly serious loopholes.

A loophole for the user to change the card

What's wrong with this loophole? According to the introduction, because Ctrip used to deal with user payment of the Security payment server interface has debugging functions, the user's payment record with the text saved. At the same time because the server that holds the payment log does not have a strict baseline security configuration, there is a directory traversal vulnerability, which results in all the debugging information in the payment process being read by any hacker.

Traversal is usually defined as a search route, one for each node in the tree, and one visit at a time. This is classified as "sensitive information disclosure" loophole, is alleged to lead to a large number of Ctrip user information exposure, including: Cardholder name ID card, bank card number, bank card CVV code, 6-bit card bin, etc. very sensitive content.

Ctrip Official explanation: Technology developers in order to troubleshoot system questions, leaving a temporary log, due to negligence did not delete in time. However, MEDIAV company CTO Junin or through micro-blog criticism said: "Data transmission for the clear, and on the line has a long time to open debugging function, resulting in the system log is also clear, and did not clean up in time, the stored server and security vulnerabilities."

Has Ctrip's peers to Sina Technology, Ctrip has been in the wireless side is not very safe practice, this way although user-friendly operation, but there are certain security risks. And Ctrip insiders said to Sina technology, this is an "accident" safety accident, Ctrip is not intended to save the user's relevant information, there is such a problem ctrip inside also feel incomprehensible.

Users are even more incomprehensible. The leak leaked information, meaning that almost all of the user's bank card information exposure risk, with this information, credit card theft may become a piece of cake.

The biggest risk is from users who have recently traded on the wireless side of Ctrip. Ctrip does not disclose the existence of the time and scope of the loophole, so the best way to avoid the risk is to contact the bank to Exchange cards immediately.

According to China Merchants Bank credit card customer service revealed that the past few days, many users have been on the issue of Ctrip call advisory, most of them have taken immediate cancellation of the original credit card, separate opening of the new card hedging measures. China Merchants Bank staff said that it will take two days to make a credit card, plus the delivery will take about a week, during which credit cards are not available.

Key issues: CVV and PCI

CVV is the focus of attention in the information of risk disclosure.

CVV (Card verification Value) is also known as CVC (Cards Validation code), which shows that this part of the information is a 3-bit or 4-digit number generated by the number, expiration, and service constraint codes. Generally written in the card magnetic stripe of the 2-track user-defined data area inside. The CVV and CVC generation methods are the same, but they are called different.

This information is used to reconcile transactions. CVV is checked on the online transaction (swipe card), and in the process of not actually swiping the card, this information has a decisive effect. However, it is worth detailing that we usually do not pay in the process of payment, the need to provide information is actually called CVV2, that is, the card on the back of the signature file next to three digits.

As sensitive information, CVV2 in the Internet payment and other non-swipe transactions, there are clear rules of treatment.

According to the "bank Card receipt Management standard" issued by China UnionPay, the system can only store for transaction clearance, card verification code, personal Identification Code (PIN) and card validity. Track information, card verification code, personal Identification code, card validity only for the completion of the UnionPay card transactions, can not be used for any other purposes.

A number of providers of online payments also to Sina technology, in the actual operation will be in accordance with the relevant provisions, will not be related to the user information on the illegal storage. Compared with the CVV, another let Ctrip face the blame of the English abbreviation is PCI.

PCI, in the financial industry, usually refers to the payment card Industry data security standards, that is DSS (Payment cards Industry, Standard). The purpose of the PCI is to optimize the security of credit cards, debit cards and cash card transactions, and to protect the cardholder's personal information from being exploited by others.

In this leakage incident, some people accused Ctrip does not have the qualification to meet the PCI standards, and attributed to Ctrip in the process of the cause of the problem. VERYCD founder Daiyunjie openly questioned Ctrip: CVV2 belongs to the sensitive data that should not be stored. and have access to PCI qualified Ctrip told Sina Technology, the qualification application is not easy, it will take a year.

Does Ctrip have any PCI qualification? The official response is: Ctrip's approach complies with DSS regulations. Ctrip will further strictly comply with DSS's regulatory requirements.

93 telephone calls with 1 users

Of course, the discussion of PCI is not an urgent matter, there are also access to PCI qualifications are also an example of the accident. For ordinary users, the core question is: I am not safe?

The lack of detailed information disclosure, so that the large-scale Ctrip users of the community. The official saying is: "by Ctrip, only the vulnerability found people did the test download, the content contains a very small number of encryption card information, a total of 93 people with potential risk of ctrip." Ctrip will notify the 93 users individually on 23rd, without receiving a call that says "It's safe, no need to worry".

93 this scale, compared to Ctrip can only be a very few. A 22nd on the Ctrip platform has traded users of Sina Technology, said, and did not receive the telephone from Ctrip. However, as with others who recently had ctrip transactions, they have expressed deep concern about the safety of personal information, and the trust of Ctrip has been minimized.

In fact, Sina technology to obtain the contact of Ctrip users, most have taken the card-changing processing.

The good news is that as of now, there is no public information showing Ctrip users have suffered losses because of this vulnerability. The bad news is that the information leaked by Ctrip may have caused damage earlier.

Guangxi Easy Search Technology CEO Maojing is a case. According to the description of the Ctrip Diamond card members, this February 25 morning, his mobile phone has been a number of credit card consumption of SMS prompts, some in the United States dollar settlement, some in sterling settlement, and some in euros, the sum of these deductions total amount less than 20,000 yuan.

After several rounds of investigation, Maojing put the suspect locked in Ctrip, according to his description only and Ctrip account binding three credit cards, on February 25 that day there were more than 10 of foreign currency theft, and the other three credit card is peaceful. However, Maojing's query, no other more rigorous evidence to prove that it is difficult to let Ctrip to admit this.

"I am a platinum customer of these banks, with 72-hour payments, if it is not my responsibility to be stolen brush, I do not have to pay, by the Platinum insurance Commitment", in the communication with Sina Technology Maojing said Ctrip may become an excuse for the bank, he feared that if there is a problem will be a lot of non-platinum users need to bear their own losses.

A bank industry personage also said to Sina technology, the appearance steals the brush actually very difficult to investigate the responsibility.

Dialogue White Hat Hacker Piggy

A credit card-related loophole naturally conjures up an underground industrial chain linked to hackers.

The online reports of hackers and the lucrative business behind hackers have been widely circulated for years. Hacker-related information theft has also emerged at home and abroad, such as the December 2011 China's largest programmers website CSDN reported a hacking attack, more than 6 million user information was leaked, and last December, U.S. third-largest retailer target 40 million customer credit card data were stolen.

Sunwear, a well-known Internet information security expert in Sina Weibo, said that the hacker circle to do the credit card industry is very mature, Europe and the United States and Taiwan are the target of hackers, many sites will store credit card number, CVV, due date and other information, channel too much ctrip is just the tip of the iceberg, Although much of the data is encrypted or hidden, it does not necessarily.

He also released a hacker in the Netherlands server information screenshot, "One of the credit card information from the Middle East Airlines and several Taiwanese websites, the total amount of 7 million or so, according to the hacker ring price Europe card can make hundreds of pieces, you want to profit." But when I saw that the data had been in that year, it had been washed for a long time.

But not all hackers are engaged in such a business. Hackers are known as white-cap hackers who use their own technology to test the performance of their networks and systems, not in this way.

The disclosure of the leak, is the black cloud platform of the core white hat hacker, on Weibo, his ID is a string of English names, and his five-digit QQ is another three-character Chinese name. Piggy has a series of impressive record, he found the loopholes of the enterprises include: Ctrip, Tencent, Youku, NetEase, Grand ... The number of leaks revealed in the cloud has reached 125.

Sina technology asks: "Why can you discover so many loopholes".

"The product manager collects a variety of data to improve the product experience for ease of use," said the pig.

In the exchange, the pig seems to feel some kind of external pressure, he told Sina Science and technology recently did not want to address the issue of Ctrip too much comment, and there are already relevant departments involved in the matter. In addition, he also said on Weibo: "At present I have the security test involved in the log information completely deleted, Ctrip has been timely repair loopholes."

For Ctrip claimed to provide incentives, the pig said he did not take seriously. In fact, the extent of the issue of Ctrip is not in the expectation of the pig, he concluded that it may be because the loophole directly linked to money.

"The real fire is this loophole," the pig gave Sina technology a link:

It was a March 21, 14:10 release on cloud platform, a bug report numbered 54204. The report shows that Tencent QQ client a default installation space there are serious security flaws, hackers can remotely obtain any friend Clientkey, combined with another loophole, you can bypass the Tencent single point of access to the system IP restrictions, login friends full line of QQ business system.

Including QQ Space, QQ album, QQ Mailbox, Tencent Weibo and so on. Obviously there is a greater risk of privacy hidden in the middle, to the deadline, Sina technology to consult Tencent has not received a response.