A5 webmaster network (www.adming5.com) March 24th news, last week, the dark cloud vulnerability platform news release, Ctrip payment log loopholes exist, or lead to a large number of user bank card information disclosure. For a time in Ctrip in the teeth of the storm.
due to the use of the user to pay for the security of the server to pay for the existence of debugging interface debugging function, the user will pay the record with the text saved. At the same time because the payment server logs saved the school without making stringent baseline security configuration, directory traversal vulnerability exists, causing all payment process debugging information can be read by any hacker. The so-called traversal usually refers to a search path along the order of each node in the tree are done once and only once to visit. This is classified as sensitive information leakage, the vulnerability may lead to a large number of Ctrip cardholder name card, bank card number, card CVV code, 6 card Bin and other information leakage.
CVV Card Verification Value, is to generate 3 or 4 digits of the card number, expiration date and service code constraints, generally written in the magnetic stripe card inside track 2 user-defined data area. No way to pay the password is also called credit card offline transactions, only the card number, CVV code and other information to complete the payment. Experts advise, CVV security code is equivalent to the credit card second password, need to be properly kept.
after the release of the news, Ctrip immediately launched a technical investigation and repair within two hours of the news release. Ctrip said it may be affected by the user in March 21st and part of the transaction in March 22nd customers, there is no user to receive the impact of the vulnerability caused by the loss of the corresponding property found. Ctrip provides vulnerability information to those who will give rewards, vulnerability for the incident if there is new progress will continue briefing.
the matter immediately aroused wide attention. Because this is not just the disclosure of personal information, but the bank card information, your ID number, bank card number, CVV code, 6 Card bin and other information. Kingsoft security expert Li Tiejun accept Beijing IT channel interview said, Ctrip and clouds from the current published data, the disclosure process user privacy Ctrip also not entirely sure, but the user security risks result is very large. In addition to the possibility of the stolen brush, to understand the user’s information can also be created after the third party payment account, binding credit card to achieve overseas shopping." It is understood that there is a credit card payment function for offline payment, this payment as long as the user knows the basic information and CVV code can be achieved after the payment.
The reason for this vulnerability in
, many people questioned why Ctrip will pay to record the user’s using text preserved? Some experts said that Ctrip save customer bank card information is a violation of the provisions of the cup, PCI-DSS (the third party payment industry data security.