Ctrip loophole cloud exposing the nternet sector as a whole security awareness

store user payment information, plaintext save user password…… These non-standard operations on the site, the surface is to provide a more concise process, in essence, is to sacrifice the user network security at the cost of. Ctrip is the industry giant, but also a listed company, but also committed such a low-level mistake on the security issues, this event makes Ctrip incur huge user confidence crisis. Can only say that there is no user interests in the first place, but also reflects the current status of China’s Internet industry as a whole security awareness.


yesterday evening, according to the description of the cloud platform vulnerabilities, Ctrip will be used to process the payment service user interface to open the debugging function, so that all the bank to verify the cardholder interface to transfer data packets are stored directly in the local server. At the same time because the payment server logs saved the school without making stringent baseline security configuration, directory traversal vulnerability exists, causing all payment process debugging information can be read by any hacker.

cardholder name card, bank card number, card CVV code, 6 card Bin and other important user information were leaked. This event makes Ctrip incur huge user trust crisis, its official micro-blog also suffered a lot of users accused. According to Ctrip, said the vulnerability is due to the company’s technical staff troubleshooting system is not deleted when the temporary log generated, at present, the information has been deleted.

do not talk about what the consequences of the incident in the end, the first to share a personal experience from Ctrip users about


out of this sort of thing, I’m not at all. Why I’m surprised? I would like to talk about a thing that happened to me: remember that in 2011, it would be my business trip in Indonesia, to return to Hongkong through the transfer of need to live a day, call Ctrip hotel.

what the results are good, to the payment link, Ctrip said I need my credit card security, I said no problem. Credit card guarantee, this is not normal? Right? Too normal!!! It began to take Chinese Ctrip operator on the phone to ask my credit card number, validity, CVV code and ID number! Is really "Q", then I put the number to read it. She again loudly to check.

I was broken, the horizontal slot number is just said? Have a credit card number, validity, CVV codes of these three things, the Internet can easily brush my card okay? But no way, the hotel must be booked, then only Ctrip set convenient, I don’t know any other way. I am ready to finish the hotel quickly urine, after returning home immediately cancel credit card to do a.

this is not over, and after I Ctrip complaints, the phone hit for an hour, they obviously do not understand the manager of what I’m talking about. The first one kept asking that you are afraid of their own card read by others to listen to you, then you find a secluded place. (vomiting blood) and then exposed

Leave a Reply

Your email address will not be published. Required fields are marked *