Here's the deal. Blippy is a startup service that allows anyone to create a profile and share their various online purchases with a mass group of friends. It's akin to a giant Facebook wall for shopping: When you buy $500 worth of Blu-ray discs from your favorite online retailer, this purchase gets shared on Blippy as long as you made the transaction using your previously designated "Blippy Card."
The Blippy Card isn't a new piece of plastic--it's just the credit card that you've told Blippy to track purchases on, under the subtext that purchases you don't want tracked could be made using another card or payment system.
For most retailers, the actual purchase information related to a transaction is pretty sparse: It might register as "Favorite Retailer DVDs City Name," for example. Blippy takes this "raw data," as they call it, and cleans it up to a more manageable note like "Favorite Retailer" just to give you (and your friends) a nicer way to see what you've been purchasing.
The recent issue at-hand concerns a combination of this raw data and Google's cache of Blippy's site pages. According to Philip Kaplan, Blippy's co-founder, the raw data related to some purchases used to be able to be viewed through the source code of a given Blippy page. Though Blippy found and removed this backdoor, and claims that said raw data was never accessible on Blippy's live site, Google nevertheless indexed this information. For five users, an unexpected combination of raw data and the Google cache errantly exposed their full credit card numbers for more than 100 separate purchases. According to Blippy co-founder Ashvin Kumar, there are five separate criteria to tell if a user's credit card number could be compromised via his or her Blippy account: Whether it was five users or five hundred, Blippy's security issue nevertheless raises the time-tested argument about oversharing on the Web. And it's not as if corporate retailers themselves are ignoring the issue.
0 comments:
Post a Comment