Google search yields credit card numbers from Blippy (Update)

by Steve Ragan - Apr 23 2010, 23:24

Update:

After a conversation with both Blippy and Google, we were correct in our assumption that something somewhere went horribly wrong. The issue that caused credit card details to be published on Google was fixed when it was reported to Blippy back in February. Today’s events were an isolated incident from the initial beta test and don’t affect current users.

However, while it was fixed on Blippy’s website, there was never a request made to have those URL’s removed from Google until today.

When asked his initial response to the discovery of the credit card data, Blippy Co-Founder and CEO Ashvin Kumar said it was embarrassment. “We’re users ourselves, so we don’t want our details out there either,” he added. Each day, Kumar explained, Blippy checks the raw data and scrubs it of sensitive information.

The process, which would turn Cracker Barrel Old Country Store #116 Indianapolis from card #1111222233334444 into Cracker Barrel Old Country Store, is an ongoing effort.

What happened today is completely opposite what they aim for when it comes to user experience. Their aim, Kumar said, is for Blippy to offer a safe and secure way for their users to share purchasing information. “We’ve been working on building a positive relationship with our users.”

In a statement, Blippy President and Co-Founder Philip Kaplan said, “Many months ago when we were first building Blippy, some raw (not cleaned up, but typically harmless) data could be viewed in the HTML source of a Blippy web page. The average user would see nothing, but a determined person could see "raw" line items.”

“Turns out Google indexed some of this HTML, even though it wasn't ever visible on the Blippy website, and was removed from the HTML code months ago”

As a result, the statement adds, four credit card numbers were listed 196 times. Yet, the question of why they appeared is the mystery. “Enter Google's cache,” Kaplan adds.

“Turns out Google indexed some of this HTML, even though it wasn't ever visible on the Blippy website, and was removed from the HTML code months ago.”

This is true, but the way it works for Google, which is a long standing process, is that URL’s must be requested for removal. Once Blippy reached out to Google, the search leader acted swiftly and took down the links.

“Around 900am Pacific we learned that blippy.com had published credit card numbers on their website. As part of our usual crawling and indexing process, these numbers became discoverable in Google search snippets. Blippy contacted us and we took special measures to remove the numbers from search results. We fixed the problem by 1120am Pacific and the numbers should no longer be discoverable in search,” a statement from Google said.

“Please keep in mind that search engines are a reflection of the content and information that is available on the Internet. Search engines such as Google do not own this content, and do not have the ability to remove content directly from the Internet. Standards are in place that Google and other search engines follow that enable site owners to protect information on their sites from being indexed and searchable. These standards give site owners the flexibility to publish content and control how it is found.”

The standards mentioned are the tools for webmasters to ensure that different types of pages are not cached. In addition, Google provides webmasters with an automatic URL removal system. This system allows them to remove their pages, including cached copies, from the Google index in the event that information has been mistakenly published.

Google encourages anyone not familiar with these tools to learn more here.

Blippy was recently featured by The New York Times and earned, as mentioned in the earlier version of this story, $11.2 million in Series A funding. Kaplan said that they plan to use a good deal of it to build-out their infrastructure, as well as working with third parties to conduct security assessments.

“We are hugely focused on security and are making efforts to bolster our security to ensure that nothing like this ever happens again...Still, this should have never happened and we take responsibility,” Kaplan added.

Original Article:

The assumption is that when Blippy launched officially, they never intended that in addition to sharing credit card purchases with the world, their users would share their credit card numbers as well.

For those who don’t know, Blippy is a social network where you share credit card tractions as they are made. Launched officially in January, they recently received $11.2 million in Series A funding. In a Twitter-like stream, the location of the purchase, the total amount, and sometimes the item itself is listed for friends to comment on.

However, earlier today, posts on Twitter started to circulate with a Google search. The results of the search showed Blippy streams containing exactly what you would expect, and one other unexpected item altogether – actual credit card numbers.

There is no way that Blippy intended this to happen, and we’ve put in an email to see if there is any information. As of 12:45 p.m. EST the search was still returning almost 200 results with card data.

From some initial checking, it would appear that while the card data exposed is protected on Blippy, Google is able to index the protected transactions. If the links to the exposed transactions are clicked, they result in an error message that reads, “That purchase is protected. You must be logged in and approved by [USERNAME] to view it.”

While other sites and Tweets will post the entire search string and sample images, we will refrain from outing the most visible user and their credit card details. Once we have more information, we will post an update to this article.

If you are a Blippy user, check your stream carefully, and make sure you are not exposing sensitive information.

Around the Web