Ctrip vulnerability after exposure the underground industry chain dialogue parties white hat hacker


Ctrip vulnerability exposure: Dialogue parties Sina

Meng hung white hat hacker


wasn’t safe last weekend.

March 22nd, 18:18. A number of 54302 reported vulnerabilities exposed in the Internet cloud security platform feedback (wooyun.org), the publisher is the core of the clouds white hat hackers pig man". The report shows that Ctrip’s vulnerability will lead to a large number of user bank card information disclosure, and this information may directly lead to fraudulent and other issues.

this message through the media spread quickly, pay attention to other news "of even more than the later exposed HUAWEI headquarters server compromised" National Security Bureau, also had exposure beyond the seemingly very serious vulnerability.

a user to replace the card vulnerability

this vulnerability is what is going on, it is reported that, due to the security of the user to pay for the implementation of the program to pay for the existence of the server interface debugging features, the user’s payment records with the text saved. At the same time, because the server does not pay to pay the log to do more stringent baseline security configuration, there is a directory traversal vulnerability, resulting in all payment process debugging information can be read by any hacker.

so-called traversal is usually referred to as a search path, each node in the tree are done once and only once to visit. This is classified as "sensitive information disclosure vulnerabilities may lead to a large number of accused Ctrip user information exposure, including the cardholder’s name, identity card, bank card, bank card CVV code, 6 Bin card is very sensitive to the content.

Ctrip official explanation: technical personnel in order to troubleshoot the system, leaving a temporary log, because of negligence is not promptly deleted. But MediaV CTO Hu Ning Company or criticism through micro-blog said: "the data transmission to the plaintext, and online unexpectedly long time to open the debug function, resulting in the system log is also explicit, is not yet cleared up, as well as storage servers security vulnerabilities".

has Ctrip counterparts on Sina Technology, said Ctrip has been in the wireless side is not very safe approach, this approach is convenient for users to operate, but there is a certain security risk. Ctrip insiders on Sina Technology, said it was an accident of security incidents, Ctrip is not intended to save the user’s relevant information, there is such a problem Ctrip also feel unable to understand.

users are more understandable. This vulnerability leaked information, which means almost all of the user’s bank card information exposure risks are present, with this information, credit card stolen may become a breeze.

face the greatest risk, is derived from the recent adoption of Ctrip wireless end users have been trading behavior. Ctrip did not disclose the existence of loopholes in the time and scope, so the best way to avoid risk is to contact the bank immediately for the card