Switched has a new home! Huffpost Tech.

Click here to visit the new home of Switched!

Hot on HuffPost Tech:

See More Stories
AOL Tech

Blippy Shoots Self in Foot, Shares Users' Credit Card Numbers

by Terrence O'Brien on April 23, 2010 at 02:20 PM

Note: Update after the break

Blippy, a service that lets users share what they purchase, has shot itself in the foot by accidentally leaking users' credit card numbers, days after seemingly hitting the big time by raising $11.2 million and getting profiled in The New York Times. Owen Thomas of VentureBeat discovered that a simple Google search would reveal some users' credit card numbers, and in some cases home addresses, of specific Blippy users.

Oddly, it appears only Citibank-issued MasterCards were affected. This might indicate that the flaw is not necessarily with the Blippy system, but in how Citibank responds to Blippy's requests for credit card data. Even if Citibank is passing credit card numbers in plain text to sites requesting data, Blippy should have had measures in place to mask that information.

The sensitive data has been removed from the profile pages on Blippy, but it's still showing up in Google search results, and the postings on Blippy proper are still accessible by clicking on the "cached" link next to the listing. We contacted Google to see if it was actively working to remove the results, but are still waiting on a reply.

Blippy's co-founder, Philip Kaplan, told the New York Times today that the numbers in question belonged to four specific users. He explained that merchants pass along raw purchase data, and that sometimes that includes credit card numbers. Blippy removes that information from posts, but the numbers were still hidden in the HTML code of the site during the testing phase when it was scooped up by Google. That means this information has been floating around the Web for months without anyone noticing. Kaplan couldn't explain why the flaw only affected four users or why it took so long to discover.

Both Citibank and Blippy have yet to reply to our request for comment. [From: VentureBeat, via: Business Insider]

Update: We heard back from both Google and Blippy and the two are working diligently to clean up the mess. Google, for its part, has removed both the search results and the cached pages that contained the sensitive data. Blippy, in an official statement, apologized profusely and accepted responsibility for publishing of the credit card numbers. The company took great effort to clarify that the issue was not widespread -- only four users were affected and the company was contacting them directly. Blippy also ensured users that it would be taking efforts to bolster security in light of this revelation.

Tags: blippy, breakingnews, citibank, mastercard, philip kaplan, PhilipKaplan, privacy, security, socialnetworking, top, web

HuffPost AOL Social News Most Popular