Ctrip security vulnerabilities, fear of leaking user privacy information

Introduction: At present, Ctrip has not been the user side of the account has not been a loss of money, but the cloud platform exposure to the security vulnerability information may be the company's safety credit, enterprise cooperation caused by greater damage. Although ctrip in the technical aspects of repair vulnerabilities to deal with very quickly, but with the brand public relations crisis to bring thread to the tricky, and Ctrip is also to guard against the implementation of brand attack behavior of the may .

On March 23, 2014, cloud platform on the side of the continuous release of the Ctrip two security vulnerabilities, the vulnerability of the discovery said because Ctrip in the program to open the user payment service excuses debugging function, which leads to Ctrip security payment log can be arbitrary also readable, The security payment log may disclose information including cardholder name, bank card category, ID,cvv code , bank card number , and so on.

The author of the loophole claims that Ctrip has turned on the debugging function of the service interface used to process user payments, so that all packets to the bank verifying the card owner interface are stored directly on the local server. At the same time because the server that holds the payment log does not have a stricter baseline security configuration, there is a directory traversal vulnerability that results in all the debugging information in the payment process being read by any hacker.

The information contained in the security log includes: cardholder name, cardholder ID card, type of bank card (e.g. merchant bank credit card, Bank of China Credit card), bank card number, bank card CVV code and 6-bit bin of bank card (6 digits for payment).

Cloud vulnerability platform to mark this vulnerability level high, and has notified the manufacturer, the current status is waiting for vendor processing.

At the same time exposure to another vulnerability shows that Ctrip a branch of the source code package can be directly downloaded (involving database configuration and payment interface information), the current vulnerability has been confirmed by cloud platform. (Guxiaopo)

Although Ctrip users have not yet appeared account money loss, but the exposure of the security vulnerability information on Ctrip's corporate security credit, corporate cooperation damage may be greater. Ctrip after the technical loopholes, followed by the brand public relations crisis is more difficult, the first thing to guard against is that opponents may implement brand attack behavior.

According to NetEase Technology reports, with Gang and MasterCard International recently signed a memorandum of cooperation, expanding in the brand, payment areas of cooperation, through joint cards, tourism concessions, electronic wallets and other programs to promote the electronic payment in the field of tourism consumption innovation applications. The technical loophole may also cast a shadow over the cooperation between the two sides.

Given that the leak broke out in Saturday, it is also a concern that Ctrip's share price movements will be affected in the opening of the eastern time market.

Extended reading:

December 25, 2011 News, this evening, for the "Tianya 40 million user password leaked" news, Tianya official to Tencent Technology issued a statement that the stolen data for 2009 before the backup data. Tianya implored users to modify the Tianya related account password as soon as possible. Tianya Marketing department in charge of Tencent Technology, said that the so-called 40 million users are hackers packaged data file name on the target, exactly how many users password was leaked, is still uncertain. But according to the Tianya technical staff inquires, leaked users will not be greater than this number.

At present, the Tianya has reported to the public security organs, the public security organs are also investigating related clues.

As early as last week, December 22, the country's largest developer community CSDN user passwords have been compromised by hackers. This time, with the end of the user password leaked, it also means that the impact of the hacker attacks to further expand.