Intrepidus Group
Insight

Some thoughts about the Tripadvisor breach

Posted: March 24, 2011 – 9:49 pm | Author: | Filed under: Articles, bugs, Passwords

Gawker, Trapster, now Tripadvisor.

 

I’m sorry Steve Kaufer, but I don’t think the email you sent is good enough anymore. You said “passwords remain secure”

HOW DO WE KNOW THAT?

  • State how you stored the passwords
  • Is it a one way hash? If so, state the algorithm
  • What about the salt? Did you have one? How many bytes?
  • Even better, were you using something strong,with a work factor, like bcrypt or md5crypt?

Here is the email form Tripadvisor’s CEO:

To our travel community:

This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement.

How will this affect you? In many cases, it won’t. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.

The reason we are going directly to you with this news is that we think it’s the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.

I’d also like to reassure you that TripAdvisor does not collect members’ credit card or financial information, and we never sell or rent our member list.

We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologize for this incident and appreciate your membership in our travel community.

Steve Kaufer
Co-founder and CEO

The reason why we just can’t accept the two statements I’ve highlighted is because not enough information was provided about the breach. In several other news outlets security experts were speculating this was likely the result of a SQL injection attack. When minds are left to wander, and people go to SQL injection as the likely vulnerability, then someone familiar with SQL injection is left to ask the question,.. “well why weren’t they able to dump the password table too?”  Maybe it wasn’t SQL injection. Maybe there was a bug in an accessible CMS. Maybe some development test data was carelessly left somewhere. Maybe some API TripAdvisor exposed to a partner had a weakness that allowed the attacker to pass a userID number and get an email address.

Even though the TripAdvisor email is missing some useful detail, there will be some clues if password hashes were compromised.  If they force a password change on returning users, that will tell the real story.

Who really knows? Tripadvisor does.  This email sucked. It should have had more detail.

Aaron Higbee

Both comments and trackbacks are currently closed.

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24384 items have been purified.