Saturday, December 14, 2013

20 Million Chinese Hotel Guests have data leaked

This morning Secure Computing shared a brief article about Data on 20 Million Chinese Hotel Guests being shared by hackers. Unfortunately the only link in the article was a search for the word Breach on SCMagazine's own website.

The source was South China Morning Post, which has actually been writing about this for some time. On October 11, Amy Li reported that "Home Inn Hotels" a popular discount chain, and Hanting Hotel Group, were using "faulty hotel management software" developed by CNWISDOM. This was reported by "independent internet security watchdog Wuyun.org". The NASDAQ traded hotel chain eventually acknowledged the vulnerability, which they described as a weakness in their Wireless Portal Security System, and announced on their home page that the issue had been resolved, thanking WooYun for helping them with the vulnerability.

CNWisdom Data Leaks

Shortly after the initial exchange, a seller on Taobao (think Chinese eBay) announced that he was selling 8 Gigabytes of hotel guest data for 2,000 Yuan. South China Morning Post reported that the chain had 450,000 hotel rooms in 4,500 hotels, and that when guests register, they are required to provide their home address, phone number, ID card, date of birth, and workplace if they want to use the WiFi service. This is apparently the data that was received.

As reported in Patrick Boehler December 9th story in the South China Morning Post, Chinese Hackers Leak Hotel Guest Data on WeChat, multiple websites were distributing the hotel data for 20 million guests, and some enterprising hackers had even built a chat interface allowing you to TXT someone's ID card number to the service and having it reply with the details of any hotel stays by that guest.

WooYun

WooYun regularly shares vulnerability data, so we thought we would start at the beginning and find that. There were several "cnwisdom" breach reports there, including:

WooYun-2013-41171 (submitted October 28, 2013) - which referred to an SQL injection vulnerability

WooYun-2013-41171 (submitted October 27, 2013) - which referred to a STRUCTS problem

WooYun-2013-034935 (submitted August 21, 2013) - the WiFi Data Leak

Unfortunately, I have to rely on some Google Translate here ...

The way WooYun explains it is (Gary's paraphrase of the Google Translate of what they said:)

"Users connect to their hotel's open WiFi, which requires them to use a webpage to authenticate. That webpage is using http protocol, which means the username and password are transmitted in the clear. But the next phase of the authentication is to update a central database of WiFi information. IN THE CLEAR, the authentication connects to a database using the username "cnwisdomapi" and the password "3b823[马赛克]ac36a"!!
That authentication userid and password can be used to query details for anyone who used the WIFI in ANY of these hotels!

After the media used this screen shot in their reports, the Hotel chain responding saying that the screen shot did not represent personal information of their guests.

The "Vulnerability Response" section says that the vendor was notified and confirmed the vulnerability on August 26th. On October 8th, they replied that the Vulnerabilities had been repaired and a proper authentication method that preserved encryption throughout the process to protect guests had been implemented.

WooYun and 189

This is hardly the first major breach from WooYun! In January they reported serious vulnerabilities in the Chinese telecom giant 189's infrastructure that allowed any user with a webbrowser to get detailed billing information, including the user name, address, and detailed call history for any mobile phone user!

The same breach reported also shared details on how any one could access a webserver on "wapsc.189.cn:8006" and use the "wapLogin/sendSms.action" to send unauthenticated SMS messages to any cell phone!

In a wonderful example of responsible reporting, WooYun declared the vulnerability to be "Level 20" (their highest rank) and reported the details to the CNCERT National Internet Emergency Center on January 22 prior to releasing the details publicly on March 8, 2013.