Ctrip vulnerability Exposure: Dialogue with white hat hacker

Ctrip vulnerability Exposure: dialogue with white hat hackers last weekend was not peaceful. March 22, 18:18. A vulnerability report, numbered 54302, was exposed on the Internet security issue Feedback Platform Cloud (wooyun.org), the publisher is the Black Cloud core white hat hacker. The report shows that a flaw in Ctrip will lead to a large number of users of the bank card information leaked, and this information may directly lead to problems such as brush-stealing. The news was quickly spread through the media, with more attention even than a later exposure of another news "Huawei headquarters server was invaded by the United States Security Bureau," also beyond the previously exposed some seemingly serious loopholes. A loophole that allows the user to change the card. According to the introduction, because Ctrip is used to deal with user payment of the Security payment server interface has debugging functions, the user's payment records are saved with text. At the same time because the server that holds the payment log does not have a strict baseline security configuration, there is a directory traversal vulnerability, which results in all the debugging information in the payment process being read by any hacker. Traversal is usually defined as a search route, one for each node in the tree, and one visit at a time. This is classified as sensitive information Disclosure vulnerability, is alleged to lead to a large number of Ctrip user information exposure, including: Cardholder name ID card, bank card number, bank card CVV code, 6-bit card bin, etc. very sensitive content. Ctrip Official explanation: Technology developers in order to troubleshoot system questions, leaving a temporary log, due to negligence did not delete in time. However, MEDIAV company CTO Junin or through micro-blog criticism that: Data transmission for plaintext, and on the line to open debugging function for a long time, resulting in the system log is also clear, and did not clean up in time, the stored server also has security vulnerabilities. Has Ctrip's peers to Sina Technology, Ctrip has been in the wireless side is not very safe practice, this way although user-friendly operation, but there are certain security risks. And Ctrip insiders said to Sina technology, this is an accident of safety accidents, Ctrip is not intended to save the user's relevant information, such as the problem of ctrip inside also feel incomprehensible. Users are even more incomprehensible. The leak leaked information, meaning that almost all of the user's bank card information exposure risk, with this information, credit card theft may become a piece of cake. The biggest risk is from users who have recently traded on the wireless side of Ctrip. Ctrip does not disclose the existence of the time and scope of the loophole, so the best way to avoid the risk is to contact the bank to Exchange cards immediately. According to China Merchants Bank credit card customer service revealed that the past few days, many users have been on the issue of Ctrip call advisory, most of them have taken immediate cancellation of the original credit card, separate opening of the new card hedging measures. China Merchants Bank staff said that it will take two days to make a credit card, plus the delivery will take about a week, during which credit cards are not available. Key: CVV and PCI are exposed to the risk of disclosure, CVV is the focus of attention. CVV (CARD Verification Value is also known as CVC (Card Validation code), which shows that this part of the information is a 3-digit or 4-digit number generated by the number, expiration, and service constraint code, typically written in the 2-track user-defined data area of the card's magnetic stripe. The CVV and CVC generation methods are the same, but they are called different. This information is used to reconcile transactions. CVV is checked on the online transaction (swipe card), and in the process of not actually swiping the card, this information has a decisive effect. However, it is worth detailing that we usually do not pay in the process of payment, the need to provide information is actually called CVV2, that is, the card on the back of the signature file next to three digits. As sensitive information, CVV2 in the Internet payment and other non-swipe transactions, there are clear rules of treatment. According to the "bank Card receipt Management standard" issued by China UnionPay, the system can only store for transaction clearance, card verification code, personal Identification Code (PIN) and card validity. Track information, card verification code, personal Identification code, card validity only for the completion of the UnionPay card transactions, can not be used for any other purposes. A number of providers of online payments also to Sina technology, in the actual operation will be in accordance with the relevant provisions, will not be related to the user information on the illegal storage. Compared with the CVV, another let Ctrip face the blame of the English abbreviation is PCI. PCI, in the financial industry, usually refers to the payment card Industry data security standards, that is DSS (Payment cards Industry, Standard). The purpose of the PCI is to optimize the security of credit cards, debit cards and cash card transactions, and to protect the cardholder's personal information from being exploited by others.