What is the origin of the dark clouds that broke out of Ctrip and other leaks?

At 6 p.m. on March 23, 2014, the Wuyun vulnerability platform (Wuyun.com) was exposedCtripThe secure payment server interface has a debugging function that can save the user's payment records, including the cardholder's name, ID card, bank card number, card CVV code, 6-digit card bin and other information. Due to the leakage of personal financial information, it has aroused strong concern from all walks of life, and other media rushed to report it, and there are different opinions.

It is undoubtedly wrong and stupid to store sensitive user information in Ctrip's logs, and when public opinion pushed Ctrip to the forefront, the author had a strong curiosity about Wuyun.com. Looking at the history of Wuyun.com's vulnerability disclosures, it is shocking:

October 10, 2013,Like homeand other hotel room opening information leaked; November 20th,Tencent70 millionQQgroup user data was accused of leaking; November 26th,360Vulnerabilities in changing passwords by arbitrary users; On February 17, 2014, Alipay/Yuebao arbitrary login vulnerability, netizens' accounts were at risk; On February 26, 2014, WeChat's sensitive information leaked vulnerability, resulting in a large number of user videos being leaked, and the impact was comparable to XX gate......

A series of leaks have made Wuyun.com and this originally unknown website famous. While people question the irresponsible performance of relevant companies, they are also full of questions about Wuyun.com: What kind of platform is this, and why can it expose the vulnerabilities of major companies in a series of times? How many secrets are there behind the dark clouds?

Behind the dark clouds

WooYun was founded in May 2010, and the main founder is Fang Xiaodun, a former security expert at Baidu, a well-known domestic hacker "Jianxin" born in 1987, who participated in Hunan Satellite TV's "Every Day Upward" program with Robin Li in February 2010, and became known because his girlfriend sang a song. Since then, Fang Xiaodun has joined forces with several people in the security community to establish Wuyun.com, with the goal of becoming a "free and equal" vulnerability reporting platform.

In Baidu Encyclopedia, Wuyun describes itself as follows: a security issue feedback platform located between manufacturers and security researchers, providing a platform for public welfare, learning, communication and research for Internet security researchers while feedback processing and follow-up on security issues.

Although Wuyun has built his image as a third-party organization for public welfare to gain the trust of white hats and society. However, after verification, Wuyun.com is not a public third-party institution, but a purely private company, and its income comes from its vulnerability disclosure rules.

For general vulnerabilities, the rules of Wuyun.com are as follows:

1. After the white hat submits the vulnerability and passes the review, Wuyun.com will publish a summary of the vulnerability, including the vulnerability title, vendor involved, vulnerability type, and brief description

2. The manufacturer has a 5-day confirmation period (if it is not confirmed within 5 days, it will be ignored, but it will not be disclosed, and it will be directly entered into 2);

3. Disclosure to security partners after 3 days of confirmation;

4. Disclose to experts in core and related fields after 10 days;

5. After 20 days, it will be disclosed to ordinary white hats;

6. Disclosure to intern white hats after 40 days;

7. Available to the public after 90 days;

It is understood that when some security service companies pay a certain fee to Wuyun.com, they can see all the vulnerabilities of their service customers in advance, and is it legal to leak vulnerability information to the service company without the customer's permission? It is worth mentioning that the vulnerability titles published by Wuyun.com are entirely from white hat submissions, without any review and modification, and intimidating titles such as "can lead to the fall of more than 1,000 servers" and "nearly 10 million user data are at risk of leakage" abound.

The author learned some stories from a friend who has been working in the security industry for many years:

1. From the beginning, the existence of dark clouds is to arouse the attention of all parties to safety, which is undoubtedly important.

2. In the process of development, there are certain differences in the dark clouds, which may stem from the inconsistency of the value orientation of insiders; There may be a picture name, or a profit, or a picture fame and fortune;

3. This disagreement makes its vulnerability disclosure a kindDisguised coercion (chips), and even became a colosseum for PK with each other;

4. In the process from 2 to 3, the corresponding industry authorities (supervision) more or less acquiesced to (supported) the existence of dark clouds.

The disclosure of vulnerabilities is even more of a carnival

In the minds of the general public, mystery and danger are synonymous with hacking. However, in the hacking world, all hackers are mainly classified into two types: white hats and black hats, those who are willing to announce vulnerabilities to enterprises and do not maliciously exploit vulnerabilities are white hats, while black hats make a living by stealing information for profit.

"Although Wuyun has a confidentiality period for the disclosure of vulnerabilities, in fact, I don't need to look at the details of the vulnerability. Any experienced hacker can test it targetedly as long as he reads the vulnerability title and description, so in most cases, once the vulnerability is announced, it is not difficult to get the details of the vulnerability as soon as possible. Z, a hacker circle member who has submitted dozens of vulnerabilities in Wuyun, told the author, "In fact, what you see is what we play. ”

The discoverer of Ctrip's vulnerability, "Pig Man", is the highest-ranked white hat in the dark cloud, with as many as 125 vulnerabilities released. On the evening of March 22, Pigman released two serious security vulnerabilities about Ctrip in a row, and in Pigman's previous record, he has released vulnerabilities of many well-known enterprises including Tencent, Alibaba, NetEase, Youku, and Lenovo, and is a veritable hacker. Regarding who "Pig Man" is, Z didn't want to say more, only revealing to the author that Pig Man was actually an insider of Wuyun.com.

A utopia for hackers

"Because unauthorized black box security testing is illegal, it is popular in the circle that hackers hack websites to steal information, and finally as long as they submit vulnerabilities to manufacturers on Wuyun.com, they can be whitewashed."

Z also showed the author a private forum on Wuyun.com, which can only be accessed by vetted white hats. The author found in this secret forum that there are special discussion sections on topics such as black industry, online earning, and cyber wars. In the article "Revealing Wuyun.com" released by Sina Technology in December 2013, Wuyun.com was questioned as "China's largest hacker training base", as shown in the figure below:

Similar topics abound in the forum, and many white hats have transformed into a greenhouse to discuss exploitation techniques, how to use these loopholes to do black industry, and wander in the gray area of the law.

Will security breaches become the most powerful public relations weapon in the Internet age?

With the rapid development of the Internet, the domestic underground black industry chain is also becoming increasingly large, and security vulnerabilities really threaten everyone's actual interests.

After the Alipay/Yuebao arbitrary login loophole was exposed on February 17, 2014, Alibaba PR quickly attacked and took out a cash reward of 5 million yuan to cover public opinion. Since then, there have been endless public relations drafts about the poor security of WeChat Pay and Alipay's mutual responsibilities. In the name of security, behind it is the banning and anti-banning of the Internet business war, black public relations and anti-black incidents, which are intensifying, and Wuyun.com has played a role in fueling it.

In view of the unprecedented social concern caused by the continuous security incidents disclosed by Wuyun.com, some experts have recently begun to question whether Wuyun.com's vulnerability disclosure rules are legal: the media reports crazy based on the vulnerability titles and brief descriptions published by Wuyun. So if someone deliberately publishes false loopholes, it is bound to cause a very bad impact on the enterprise, who will bear this responsibility? Is a private company that has so many security vulnerabilities and uses vulnerability disclosure as its business model, itself stepping on the gray area of the law?

In its draft RFC2026 Responsible Vulnerability Disclosure Process, the Internet Working Group mentions that "reporters should ensure that vulnerabilities are genuine." "However, when the vulnerability is released on Wuyun.com and confirmed by the enterprise, the authenticity and accuracy of the vulnerability cannot be known. Responsible security vulnerability disclosure should be rigorous, and any technical worker who finds a vulnerability should clearly state the scope of impact of the vulnerability, so as not to cause unnecessary public panic, such as this Ctrip credit card door, even if Wuyun.com is anxious for media exposure and hype due to its own needs, but it should also explain whether the leaked information is encrypted and what the scope of impact is, rather than becoming a so-called "headline party" and holding enterprises hostage in the name of security.

The disclosure of security vulnerabilities is necessary, which is not only responsible for users, but also for the supervision of enterprise security, but how to truly achieve responsible vulnerability disclosure is worth pondering.