Ctrip.com is China's No.1 travel booking website in terms of market share but it gave its users a good scare this weekend. More than 10 million Ctrip users and their personal and financial information were apparently exposed to two security flaws. The bugs were discovered Saturday by Wooyun.org, an independent web security monitor.
"A server, if run normally, usually hides logs and sensitive records in the background. No one can see that data. But some security breakdowns may give hackers an opportunity to download that information," said Fang Xiaodun from Wooyun.org.
Wooyun says that the security flaws were so obvious that even a greenhorn hacker could have easily obtained all of the stored credit card numbers, passwords and CVV codes of Ctrip's users.
Ctrip responded to the report by immediately correcting the security issue and announcing that it would provide full compensation to anyone suffering a loss because of the problem.
"If any losses are incurred by our users because of the loopholes we will provide compensation. We will also reward discoverers of any security flaws in the future. We've set up a 5 million yuan fund to encourage people to help us improve our web security," said He Jing, Public Affairs Manager at Ctrip.com.
Some Ctrip users have reported that money was stolen from their credit cards that were linked with their Ctrip accounts. Legal experts say it's illegal to store consumers' sensitive credit card information such as CVV numbers without advance notification, and that Ctrip is likely to face administrative punishment.
Many users have already unlinked their credit cards and bank accounts with Ctrip and analysts say that will be a huge blow to Ctrip's financial performance this year.