Margie, tragedy! Cloud platform said 20 hotels customer record has been leaked

in front of the Internet, is really not safe. It doesn’t, the domestic large number of hotel or will leak check in record.

recently, the domestic security vulnerability monitoring platform clouds (WooYun.org) said in a report, home inns, hanting and other large number of the hotel’s key record is stored in a third party, and because relevant hole leakage.

it is understood that the vulnerability was first discovered by the authors “or Yep” and submitted on August 21 at the dark clouds platform, then according to the standard process inform the hotel technical service of zhejiang hui da station network co., LTD. (hereinafter referred to as: hui da post), and gradually open to experts and technical personnel, and now has vulnerability details to the public, also to many national Internet emergency center for processing.

so far, only hanting denied to this event, said the company did not use hui da post any device.

loopholes, said the discovery home inns, hanting, xianyang international hotel, hangzhou metropark international hotel, yi 365 quick hotels, dongguan humen Oriental sofitel hotel all or part of use of zhejiang hui da station network co., LTD., the development of the hotel wi-fi, certification management system, and hui da station stored on the server in real time the hotel customer records, including customer name (two words will be displayed), identification number, check in date, room number and so on a large number of sensitive and private information.

the following for double check in ~

why loophole? Holes, the authors said cooperation with hui da post hotel the whole business logic is as follows:

when the user open wifi connection to their hotel, the Internet will be asked to through web authentication. But not the authentication server at the hotel, but in zhejiang hui da post them on the server, so the server also granted to save a copy of the hotel customer information. Customer information data synchronization are realized through the HTTP protocol, then, requires authentication. But the authentication user name and password are expressly transfer, could be be sniffing to in every way. And then use the authentication information, can get all hotel from their data on the server upload client key information, so there is the possibility of information leak.

the data shows, in collaboration with hui da station of the hotel includes home inns, hanting, 7 days, speed chain, green tree, fu yi hotel, jinjiang star and Vienna 20. Click here to calculate the number of affected customers should be relatively large.

for that matter, hanting hotels on October 8, reply said in comments, used hui da group did not post any device that does not exist the problem of information disclosure. The following in response to the full text:

the report content involves manufacturer we group did not use any of the manufacturer’s equipment, all our WIFI authentication platform for the development of authentication mechanism is completely different, no information is kept in a third party, the white hat’s bug report is misleading, at the same time his report content also have no to prove its China hotel using the product information and loophole, white hat, please don’t only look at the title, thank you.

as of the time, several other hotels haven’t comment on this.