×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Fixes Credit Card Security Hole, But Snubs Discoverer

timothy posted about 4 months ago | from the and-that's-the-thanks-I-get dept.

Security 127

Frequent contributor Bennett Haselton writes: "Google has fixed a vulnerability, first discovered by researcher Gergely Kalman, which let users search for credit card numbers by using hex number ranges. However, Google should have acknowledged or at least responded to the original bug finder (and possibly even paid him a bounty for it), and should have been more transparent about the process in general." Read on for the rest of the story.

Back in 2007, I wrote that it was possible to find credit card numbers on Google by searching for the first 8 digits of your credit card number with a space in the middle, e.g. "1234 5678". Some users pointed out in the comments that it was even easier to find card numbers by searching for a number range such as

4147000000000000..4147999999999999

At some point after that discovery was posted, Google altered their search filters so that using number ranges to search for credit cards, was no longer allowed. If you search for that range, you get a denial page which reads

Our systems have detected unusual traffic from your computer network. Please try your request again later.

According to security researcher Gergely Kalman, he had read my 2007 article and thought about the issue occasionally for a few years, then in December 2012 discovered a loophole in Google's search filter: He could search for number ranges matching credit cards by searching using hexadecimal numbers. So that instead of searching for

4060000000000000..4060999999999999

he could search for the same number range in hexadecimal:

0xe6c8c69c9c000..0xe6d753e6ecfff

and Google would allow the search, and return a list of matching pages (most of which contained credit card numbers).

Gergely sent an email to security@google.com on December 28, 2012 (which he later showed to me), describing the vulnerability in detail. After describing the simple trick, his email stated: "I don't know if this qualifies as a bug bounty bug, but I think it's certainly not in your interest to let these queries through. Using this method one can bypass all your numerical query filters, filters for SSN, TFN, credit cards, maybe DoS prevention and others I can not think of at the moment."

Gergely sent them a follow-up email on August 23, 2013. In both cases he said he received no response except for an auto-reply.

Then on November 8, 2013, I wrote another article bringing up the fact that the original "1234 5678" trick still made it easy to find credit card numbers through Google, and generally wondering if that particular issue was ever going to be fixed (while remaining unaware of Gergely's discovery).

Gergely saw the article, and subsequently posted his discovery publicly on November 12, along with disclosing the fact that he had written to Google and never received a response:

"So I notified Google, and waited. After a month without a response, I notified them again to no avail. With a minor tweak on Haselton's old trick, I was able to Google Credit Card numbers, Social Security numbers, and any other sensitive information."

Gergely emailed me about my article and sent me a link to his blog post. With Gergely's permission, I posted a message in Google's product forums on November 14th, describing the problem and trying to bring it to the attention of a Google employee:

"This is a security issue that I'm trying to bring to the attention of a Google employee. I'm not sure if it fits under 'malware,' but I couldn't find a better place to post it. The original discoverer already emailed security@google.com twice and says he received no response.
[...]
The original discoverer posted about this trick here:
http://www.toptal.com/web/with-a-filter-bypass-credit-card-numbers-are-still-still-google-able

Can we get confirmation from someone at Google that they're aware of this issue, regardless of what they decide to do about it?
Thanks!"

At the same time, I became curious if Google would fix the bug any time in the next couple of days, so I set up a daily reminder on my computer to click the hex-search-link every morning and see if it was blocked. So I checked every morning from November 15th until about November 20th, and then didn't bother for a few days after that. When I checked again on November 26th, the bug had been fixed, and searching on Google for a hexadecimal-number range matching credit card numbers, now gives the denial message:

Our systems have detected unusual traffic from your computer network. Please try your request again later.

Since Google didn't fix the bug for 11 months after first being notified by Gergely, but then fixed it within 2 weeks after Gergely's blog post and my forum question, it seems pretty certain that the blog post or the forum question was what triggered the fixing of the bug. But, then, why not acknowledge either with a response, or a bounty award for Gergely? According to the chart on Google's Application Security bounty program page, it should probably qualify for a $500 reward in the category "XSRF, XSSI and other common web flaws" under "Normal Google applications."

If Google had ignored the discovery completely -- or if they had replied and said that it was too low of a security priority to fix -- that probably would have settled the issue, whether we agreed or not. This is, after all, not exactly a sky-is-falling security hole -- in any case not as long as the "1234 5678" security hole allows people to find credit cards almost as easily.

But once Google decided to fix the bug, there would seem to be no excuse for snubbing the person who discovered it. Even though the fix was probably simple at the code level, pushing a code change through to the almighty Google search engine, is presumably not cheap. If they're going to incur the costs of fixing the bug, what could be the reason for not crediting the discoverer and paying the bounty, which would also establish a good future relationship with a smart bug hunter? (Presumably that's one of the reasons the program exists.)

Maybe both of the original emails to security@google.com got lost, and maybe that has to do with the high volume of emails that the email address receives. I have no idea how those emails are processed internally at Google, but I assume it's likely that there is a pool of security experts to review the incoming emails, and each incoming mail is randomly assigned to one of those experts. If Google wants to reduce the chance of a legitimate bug slipping through the cracks without spending any extra money, my suggestion would be:

Instead of having each email be reviewed by one person chosen at random from a pool of highly paid security experts, have each email be reviewed by five people chosen from a low-paid pool of smart but inexperienced employees. The group of five would each independently vote "Yes" or "No" on whether the security issue needed to be bumped up, with a majority making the decision.

This recommendation is based on two principles. First, if you do a majority vote from a group of five, this reduces the chance of a legitimate issue being mis-categorized by a fluke. If a single "expert" categorizes an issue report correctly 90% of the time, and an intern categorizes an issue correctly 80% of the time, then taking a majority vote from a group of five interns will yield the right answer more often than a single expert. (I'm hand-waving over a few details -- I'm assuming that the probability of the different interns categorizing the issue correctly, are independent, and I'm not weighing the relative cost of missing a legitimate issue versus raising a false alarm -- but the general principle still applies.)

Second, while it may take an experienced security researcher to understand the deeper implications of a bug and the cost of fixing it, in my experience most smart people can quickly see what constitutes a legitimate security hole and what is merely a decoy, even without a lot of coding experience. So it would be ideal work for interns or new employees who want to learn more about the kinds of security reports that come in.

That suggested fix is just based on my assumption that incoming emails to security@google.com are each reviewed by a single person, so that one oversight can cause an email to slip through the cracks.

On the other hand, when someone at Google did read the blog post or the forum question and discover the bug, I have no idea what sequence of events that kicked off, which led to the security hole being plugged without acknowledging the discoverer. That's another process that should be fixed.

Google, of course, deserves credit for fixing the bug, and generally for taking on the issue of filtering credit card searches in the first place. Blocking these searches, after all, mainly prevents harm to others by averting identity theft, without really benefitting Google directly; presumably they filter these searches due to some combination of (1) wanting to be a good corporate netizen and (2) not wanting their search tool abused by script kiddiez searching for credit cards (a class of users who would be singularly unlikely to click on the ads). But since they did fix the bug, they should pay the discoverer, or at least give Gergely a shout-out. If they ever decide to implement my intern-majority-rules idea for emails to security@google.com, a shout-out for that would be fine too.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

127 comments

walloftext (-1)

Anonymous Coward | about 4 months ago | (#45674767)

tl;dr

I Summarized for you: (-1)

Anonymous Coward | about 4 months ago | (#45675179)

Your girlfriend Google (the only female you'll ever encounter in life) took a big shit down your neck..

Doesn't make sense (2)

Dachannien (617929) | about 4 months ago | (#45674825)

Why are these pages even indexed? Wouldn't it make more sense to just expunge them from the database (perhaps by hostname or even domain name as appropriate) rather than keep them around waiting for someone to figure out a way to trick Google into retrieving them?

Re:Doesn't make sense (0)

Anonymous Coward | about 4 months ago | (#45674935)

I guess it's cheaper to restrict the search results than to do CPU/IO intensive purging operations.

Re:Doesn't make sense (3, Interesting)

tibit (1762298) | about 4 months ago | (#45675427)

Google. They are a search engine. They are supposed to index stuff, not to censor it. It's the problem of the fucktards whose site security is so bad that a search engine can get to customer data like such (or the fucktards who leak such things on purpose). I really don't see why Google cares abbot it, and why do other retards classify this as a "security hole". It's not Google who is leaking the data, so why is it upon them to fix it? If I were running a search engine, I'd be fighting requests for such "improvements" tooth and nail. People need to realize how insecure some sites/servers are, and who is to better expose it than a large search engine. Sigh.

New "Improved" Microsoft (-1, Troll)

sycodon (149926) | about 4 months ago | (#45676937)

Google is the new Microsoft. And it's decidedly Evil.

They have purchased technologies and assimilated them into their own pervasive environment. Are you logged into gmail? Open Youtube and it automatically logs you a account that you never made and puts your email as the user name. I haven't been there, but I expect I have a Google+ account, even though I didn't make one.

Everything they do is about absorbing all the information about you possible and then throwing it back at you in the form of ads, offers, recommendations, playlists, search type ahead results (ever try to type www.youtube.com and have it first suggest www.youporn.com?)

If I had a way to easily dump all of my emails in gmail to a different provider, I would.

Re:New "Improved" Microsoft (0)

Anonymous Coward | about 4 months ago | (#45677655)

No, Microsoft is Microsoft, and Apple is Microsoft.

Google does stupid things but don't post stupid trolling like this, you fuckin sycophant.

Re:New "Improved" Microsoft (1)

topologicalanomaly47 (1226068) | about 4 months ago | (#45678171)

What's stopping you? Last time I heard IMAP was pretty easy to master. Wait, is it because other providers don't offer it for free?
If it was up to me not only would I let those searches trough but also make a nice list of all the fucking idiots who leak private customer data like this. Maybe so the retards running those sites would move on from the "who would guess the link?" security model.

Re:Doesn't make sense (0)

Anonymous Coward | about 4 months ago | (#45676089)

Why wouldn't they be indexed? I don't understand why you morons are demanding that search engines not search. Do you understand the fundamental misunderstand you have? If someone publishes web content, then it should be indexed. Google is not responsible for the content.

Do you normally blame victims for being a victim? I've lived in the USA for a few years, and it is sad how the liberals in this country always blame the victim or the tool used rather than blaming the bad guy. It is the fault of the person that publishes the credit card number.

Re:Doesn't make sense (0)

Anonymous Coward | about 4 months ago | (#45678333)

Why are they not indexed? They're part of the web, and a credit card system that relies for its security on the unwillingness of search engines to index certain ranges of numbers isn't secure at all. Better expose this so people have an incentive to move to a hopefully better system.

Heck, maybe searching for like numbers has other uses that're now blocked to provide a false sense of security to the big public. Why are we being this stupid? Is this all "security research" can come up with? If it were up to me, I'd fire them all for gross incompetence.

Re:Doesn't make sense (0)

Anonymous Coward | about 4 months ago | (#45678371)

"Big data is what happened when the cost of keeping information became less than the cost of throwing it away." -George Dyson #longnow

Can someone please explain the law (US)? (5, Interesting)

Anonymous Coward | about 4 months ago | (#45674829)

. With a minor tweak on Haselton's old trick, I was able to Google Credit Card numbers, Social Security numbers, and any other sensitive information."

I still don't get it. When do you go to jail for this [wired.com] , and when don't you?

Namely- do you go to jail when...

  • You become aware of a security bug?
  • If you test a security bug to make sure it exists?
  • You report the bug to the owner?
  • You report the bug to the media?
  • You blog about your discovery of the bug?

Is it arbitrary? It seems sometimes you get a reward/bounty, sometimes a thank you, sometimes a threat, and other times you get sent to jail...

What does a reasonable/prudent person do if they stumble onto a potential (or actual) security hole in someone else's system? Someone explain please.

Re:Can someone please explain the law (US)? (4, Informative)

Virtucon (127420) | about 4 months ago | (#45674953)

You get all of the above depending on what company/organization you're dealing with. If you're dealing with an entity that has an open attitude about these things, you'll get a reward or a pat on the back. If you're dealing with a private company that isn't open and has a monopoly to protect you'll get usually a CFAA indictment for accessing their system in an inappropriate way...

Re:Can someone please explain the law (US)? (0)

Anonymous Coward | about 4 months ago | (#45675697)

You become aware of a security bug?

I manage a motel. The room locks are resistant to shims and cheap lockpicks. They are not resistant to crowbars or skilled locksmiths. Nobody has told me that's a "security bug"

I also have a website. How the fuck am I supposed to know if it is sufficiently secure? The threat model changes every goddamn day. How the fuck am I supposed to evaluate the vendors that host and maintain my site? If I pay five "Web Security Experts", I'll get ten different answers from them.

I can't make my site impervious to everything. I simply don't have the money, time, or skill. If the NSA wants in, I can't stop them. How do I decide where to draw the line? How to I tell my customers my security got breached by a team of experts and there was no defense? How do I measure my website security?

Re:Can someone please explain the law (US)? (1)

Ian Afterglow (3462137) | about 4 months ago | (#45677849)

You become aware of a security bug?

I manage a motel. The room locks are resistant to shims and cheap lockpicks. They are not resistant to crowbars or skilled locksmiths. Nobody has told me that's a "security bug"

Here's a short checklist for covering a website against the equivalent of shims and cheap lockpicks without going to the effort of keeping out the crowbars and the NSA...

1) Put the "no robots" tag on webpages that you don't want appearing in Google searches (rule of thumb: if it doesn't have a picture in it, you don't want it appearing when people search for you anyway).

2) Put a robot trap onto any page that leads to anything particularly valuable, or maybe just lay them everwhere that you have the no robots tag. That'll stop most of the nasty webcrawlers as well as the polite ones.

3) Ensure that inputs to the website from public facing pages are parsed to prevent SQL injection attacks.

4) Log everything.

What do people think? Would these four things keep out most of the "script kiddies" without costing a motel manager heaps of time or money, or is there a fifth thing that needs to be added to the list?

Re:Can someone please explain the law (US)? (2)

ArsenneLupin (766289) | about 4 months ago | (#45678505)

1) Put the "no robots" tag on webpages that you don't want appearing in Google searches (rule of thumb: if it doesn't have a picture in it, you don't want it appearing when people search for you anyway).

WTF?

Re:Can someone please explain the law (US)? (0)

Anonymous Coward | about 4 months ago | (#45676549)

Probably a trolling comment but maybe it sort of fits into this, since it is about law/fraud!!!

Why not just report the bug publicly, on the EFF's or other Electronic Freedom Orgs., website, and then have a class action lawsuit filed against Google and other companies that ignore these bugs? Technically you could file it under fraud since these companies are suppose to be preventing this type of data from being accessed. I not sure the laws, but if a person or small group had this exploit in there system they would be charged, even tho they themselves didn't use the credit cards for comment blatant fraud.

And what's the point of having bounty programs if your going to pick and choose who gets rewarded! And I know everyone has beaten this into the ground, but after reading this story, how and why would Google have a security email and not have anyone or enough people to shift thru it? Or even an Algorithm that shifted thru emails for key words to bump it up to an actual person, anyway my point, maybe they ignored this because the US spying agencies were using this exploit to collect data or pinpoint someone of "interest".

Having said that maybe the Feds will start busting "bug hunters".

  It seems if someone reports it and keeps it from going public, or they keep it within an inner circle or researchers, either the bug gets fixed or it gets ignored but the person isn't in trouble. However if they choose to go public and pick the right people (IE, EFF) without detailing the exploit companies have no choice but to get it fixed, and the the researcher shouldn't get into trouble.

But security researchers seem to have a moral compass, and what to do whatever they can to get a bug fixed, if they're not selling it or reporting it to underground circles so others can exploit it with the intention on profiting from it, I do not see why they should be imprisoned, or even charged. Even tho by the law just looking for any bug is considered "hacking". Time to change what is, and what shouldn't be considered felony.

Great so another bug fixed but... (1)

Virtucon (127420) | about 4 months ago | (#45674839)

Why in the hell is Google indexing credit card numbers to being with? I realize their bots sniff the web but this is information that they should just avoid collecting.

Re:Great so another bug fixed but... (0)

Anonymous Coward | about 4 months ago | (#45674881)

They index the web, and already censor credit card numbers to some extent, and you want more censoring of them? That seems pretty arbitrary and likley to have false positives.

Re:Great so another bug fixed but... (2)

CanHasDIY (1672858) | about 4 months ago | (#45675241)

They index the web, and already censor credit card numbers to some extent, and you want more censoring of them? That seems pretty arbitrary and likley to have false positives.

Yea, well, better to let 10 guilty hashes go free than let one innocent CC number suffer.

Re:Great so another bug fixed but... (4, Insightful)

ArcadeNut (85398) | about 4 months ago | (#45675061)

The better question is this:

Why is this information even stored in plain text and publicly accessible where it can be indexed in the first place?

Re:Great so another bug fixed but... (0)

Anonymous Coward | about 4 months ago | (#45676269)

The better question is this:

Why is this information even stored in plain text and publicly accessible where it can be indexed in the first place?

Just because that's the case it doesn't mean that we should make it easy to find and if Google got some help to fix this problem they should acknowledge it. There's no reason to be embarrassed about it, even those of us blessed with a 180+ IQ fuck up occasionally.

Re:Great so another bug fixed but... (0)

Anonymous Coward | about 4 months ago | (#45675065)

Why in the hell is Google indexing credit card numbers to being with? I realize their bots sniff the web but this is information that they should just avoid collecting.

Could they be subject to PCI certification standards if they know they're collecting CC information? I know places that religiously avoid collecting CC info (relegating that to primarily because of this burdensome requirement.

Re:Great so another bug fixed but... (4, Insightful)

rubycodez (864176) | about 4 months ago | (#45675095)

plenty of good reasons to index long strings of numbers. I use google for part numbers, serial numbers, etc.

Re:Great so another bug fixed but... (1)

NormalVisual (565491) | about 4 months ago | (#45675383)

Very true, although I would think a rather small minority would be 16 digits long and pass the Luhn test.

Re:Great so another bug fixed but... (2)

swillden (191260) | about 4 months ago | (#45675535)

Very true, although I would think a rather small minority would be 16 digits long and pass the Luhn test.

10% of random 15 and 16-digit numbers pass the Luhn test.

Re:Great so another bug fixed but... (1)

NormalVisual (565491) | about 4 months ago | (#45675729)

Yes, and I would still consider 10% a "rather small minority". It still means that 90% of all 15/16 digit numbers would be inappropriately filtered. One could restrict the result set even more by only looking for leading digits in combination with digit counts that correspond to known card issues and bring that percentage down quite a bit more.

The point was that given a random 12-16 digit number, it's not very likely that it will be a valid credit card number (even if the check digit passes), and even then the card number is useless without other unique identifying information.

Re:Great so another bug fixed but... (3, Interesting)

tibit (1762298) | about 4 months ago | (#45675451)

Why should they avoid collecting fucking numbers? Why is it their problem? What other information they "should just avoid collecting". It's a very slippery slope I'd them rather not take. If it takes Google to get the U.S. credit card industry to wake up and realize that people need to use secure chip cards for physically-present transactions and secure pin generators for card-not present ones, like is done in a lot of more bank-developed places on Earth, then so let it be. The fallout from having those numbers visible for all to see can't be but beneficial for the consumer in the long term.

Re:Great so another bug fixed but... (0)

Virtucon (127420) | about 4 months ago | (#45677189)

Look, numbers are fine but when they're mining it from sites that publish and peddle lists of Card Numbers and CVV2 info, that's another thing. Those sites have no other business than to promote crime. It's the same thing with Child Porn and other things that have been banned from search engines. Nobody likes censorship but there are things that should be filtered based upon good business practice and being a responsible corporate citizen. Google is smart enough to build filters to know that what they're harvesting is a credit card number or not. They obviously made the change already but this guy found a backdoor and they've now closed that. Overall I think it's more troubling that Google has a ton of credit card numbers and CVV2 data stashed in their server farm(s), the only problem is we don't know what it's used for and how long do they keep it? They probably have a cache of Child Porn just for shits and giggles too, but they'll probably never tell anybody about that or if they did "We use it to train our machine learning algorithms to recognize questionable material."

Secure Chip cards are available but every retailer is still using mag stripe readers. I agree it would be better but it would also be better if Websites who handled credit card transactions were at least held to minimum standards so this data doesn't get put out there in the first place for Google to mine. Better yet, just block Google from scanning your website both at the Firewall and in the Robots.txt file.

What bug? (1)

Arker (91948) | about 4 months ago | (#45676043)

This makes no sense. What bug? You searched for numbers you got the numbers. Sounds like google was working correctly at first and broken, not fixed, as the story went on.

The people who put pages of credit card numbers on the web like this have a problem, but it isnt googles problem, google cant fix it, and it's insane that they are expected to do so.

Why should Google filter our queries at all? (0)

Anonymous Coward | about 4 months ago | (#45674855)

Simple question: Why should Google filter or censor anything? Do we even want that?

Re:Why should Google filter our queries at all? (0)

Anonymous Coward | about 4 months ago | (#45674899)

Simple answer: Yes.

Long answer: Hell yes, filter it all. Why? Because the more often they shoot themselves in the foot, the more chance at an alternative search engine (like DuckDuckGo) getting more than a toehold. Ever tried to search for technical information over Tor using Google? It doesn't work. Every other search engine right now is crap for technical info.

Re:Why should Google filter our queries at all? (0)

Anonymous Coward | about 4 months ago | (#45675165)

To avoid being Scroogled.

This is not a sincere article about Google's search practice, this is an attack piece, intended to smear a rival.

Re:Why should Google filter our queries at all? (1)

Arker (91948) | about 4 months ago | (#45676059)

"Simple question: Why should Google filter or censor anything? Do we even want that?"

Simple answer. No. Hell no.

This accomplishes nothing (5, Insightful)

Anonymous Coward | about 4 months ago | (#45674859)

The problem is not that google accidentally lets you search for credit card numbers. Not at all.

The problem is that credit card numbers is published on the web so that search engines and anybody else can find them. Google can filter queries perfectly, but the numbers are still out there on some webpage - for some reason. If google won't let me search for numbers, then I can switch to another search engine. Google is far from the only one - it is merely the most popular one. (Google "search engines" to find some others.) Chances are the others are not so restrictive.

And of course I don't really need a search engine - I can make my own web crawler. A search engine like google is a big thing, but a web crawler that collect credit card numbers only is much simpler - it is something you can run from home.

So google: Please don't filter out card numbers from your searches. The fault does not lie with google, but with those who put credit card numbers on the web for all to see. If we can find them, we can warn them or even sue them. Let the searches go through, so they can get busted. Or so those numbers will get abused. That way, people might learn not to publish them.

Also, number searches are useful. I often search for product numbers, which sometimes have the same length as credit card numbers. This is "normal use", not hacking at all.

Re:This accomplishes nothing (0)

Anonymous Coward | about 4 months ago | (#45675029)

The problem is that credit card numbers is published on the web so that search engines and anybody else can find them.

No. The problem is that credit card systems is too easily abused. Why should it matter than someone has my CC#? It is not intended to be secret in the first place.

Re:This accomplishes nothing (1)

tibit (1762298) | about 4 months ago | (#45675465)

Same goes for bank account numbers - in the U.S., they are supposed to be kept private. Why? Because anyone can suck your account dry if they just have your account number! That's why. Sad but true.

Re:This accomplishes nothing (0)

Anonymous Coward | about 4 months ago | (#45675939)

Same goes for bank account numbers - in the U.S., they are supposed to be kept private. Why? Because anyone can suck your account dry if they just have your account number! That's why. Sad but true.

CC numbers are to be kept private? You are required to give your CC number to every merchant that you are dealing with either online or in the real world. Even in the real world whats to say that someone is not writing down your number while you are paying for your lunch?
Credit card payments based solely on a number without some additional form of authentication is an obsolete form of payment.

Re:This accomplishes nothing (0)

Anonymous Coward | about 4 months ago | (#45676117)

Even in the real world whats to say that someone is not writing down your number while you are paying for your lunch?

That may indeed happen. But a single case of CC fraud does not pay too well. So they do it again, and again. And the CC company notices that 50 abused cards was all used in the same restaurant. Police investigators then find out on whose shifts this happened, and that he has some of the items bought this way.

To put it short: They keep the system very simple, but also make sure to crack down on anybody abusing the system. A "don't step on the lawn"-sign does not prevent stepping on the lawn like a fence would. But if you're known to always beat up trespassers, it won't happen all that much either.

Re:This accomplishes nothing (0)

Anonymous Coward | about 4 months ago | (#45676559)

Your bank account and routing number are printed on every single paper check. There is no way that they were intended to be or can expected to be "secure" or private.

This is only an issue when banks and CC issuers are allowed to minimize their security in order to reduce "friction" in their business models and leave customers holding the bag (even if temporarily) when fraud occurs.

Re:This accomplishes nothing (1)

symbolset (646467) | about 4 months ago | (#45676615)

Gee I wish I had thought about that before I ordered this box of checks with my account number printed on every one. Gosh I wonder how many copies of this number I have mailed out over the years.

Re:This accomplishes nothing (1)

swillden (191260) | about 4 months ago | (#45675607)

So google: Please don't filter out card numbers from your searches. The fault does not lie with google, but with those who put credit card numbers on the web for all to see.

I think Google did take that approach for several years, and it was found not to work. Specifically, the pages with all the card numbers didn't get taken down, and Google search made it trivial for people to find lots of potentially-valid CCNs.

Re:This accomplishes nothing (1)

larry bagina (561269) | about 4 months ago | (#45676573)

Any turing complete programming language can generate lots of potentially valid credit card numbers. All of them, in fact.

Re:This accomplishes nothing (0)

Anonymous Coward | about 4 months ago | (#45678459)

No, the real problem is that it's such a big problem to get your CC number out there.
In the Netherlands you either need a card with a computer chip or a randomly generated transaction number.
The only thing you can do with my card number is give me money.

The bigger issue is (3, Insightful)

purpledinoz (573045) | about 4 months ago | (#45674929)

why are credit card numbers even available to be indexed in the first place?

Re:The bigger issue is (2)

rubycodez (864176) | about 4 months ago | (#45675127)

wrong. the bigger issue is why we are so silly as to use short 15 or 16 digit numbers for making financial transactions. it's the same as the stupidity shown with using social security numbers.

Re:The bigger issue is (2)

CanHasDIY (1672858) | about 4 months ago | (#45675261)

wrong. the bigger issue is why we are so silly as to use short 15 or 16 digit numbers for making financial transactions. it's the same as the stupidity shown with using social security numbers.

If your CC number is on a web-facing interface in plaintext, I doubt it matters much whether it's 16 digits or 256.

Re:The bigger issue is (1)

swillden (191260) | about 4 months ago | (#45675507)

wrong. the bigger issue is why we are so silly as to use short 15 or 16 digit numbers for making financial transactions.

It's not the length that's the problem, it's the fact that we use the same value as both identifier and authenticator.

Re:The bigger issue is (1)

Marxist Hacker 42 (638312) | about 4 months ago | (#45675889)

I thought the identifier was the 15 or 16 digit number on the front of the card, and the authenticator was the three-to-four digit number on the back of the card (except in cases where a keypad is available, and then the identifier is the 15 or 16 digit number encoded on the mag strip and the authenticator is your 4 digit pin).

Re:The bigger issue is (0)

Anonymous Coward | about 4 months ago | (#45675945)

You are screwed. There.

In countries that have EMV (so, not the US) you're only a little bit screwed for in-person transactions, if you're very careful.

In other countries, and in EMV countries for card-not-present, you're completely screwed. One dishonest merchant, crooked bank employee, or fuck-up by a systems designer and your money is in somebody else's bank account and you're the one getting accused of fraud.

Re:The bigger issue is (0)

Anonymous Coward | about 4 months ago | (#45676099)

In countries that have EMV (so, not the US)

Wrong. We have them here, it's just not enforced by a lot of the merchants who serve as a "middle man" between the retailer and the actual CC company. Most online transactions these days DO require the verification code, and I've noticed that big payment houses like Western Union are starting to require it for phone-based payments.

As for retailers... shit they don't even touch the card any more. They have a pad where YOU swipe the card. Combine that with the "self checkout" aisles at a lot of stores and CC fraud is easier than ever. I've been signing bullshit names on my credit card transactions for decades. Usually I use whoever the sitting president is, sometimes I'll toss out a celebrity, lately I've been signing "Lady Gaga", and once in a while I'll sign something like "Fuck You" or "Your service sucks".

Re:The bigger issue is (1)

swillden (191260) | about 4 months ago | (#45676325)

I thought the identifier was the 15 or 16 digit number on the front of the card, and the authenticator was the three-to-four digit number on the back of the card (except in cases where a keypad is available, and then the identifier is the 15 or 16 digit number encoded on the mag strip and the authenticator is your 4 digit pin).

Nah, there are ways you can use the card number without the CVV1 or CVV2. And it's not like a three-digit authenticator adds very much security (more length there actually would help).

Re:The bigger issue is (0)

Anonymous Coward | about 4 months ago | (#45675839)

the bigger issue is why we are so silly as to use short 15 or 16 digit numbers for making financial transactions

No. Making CC numbers longer would be security theater

The numbers are already large enough that random guessing is not a useful method of attack; it is detected too quickly. The attack vector is reading existing lists of valid numbers. For a computer, copying a 500-digit number is nearly the same as copying a 16-digit one. For a human, it would seem like a huge difference.

It would make things seem more secure without actually making things more secure. In fact, the harder you make it for humans, the less security you have, because people become more tolerant of errors, workarounds, and deviations from established procedure.

Re:The bigger issue is (0)

Anonymous Coward | about 4 months ago | (#45676069)

wrong. the bigger issue is why we are so silly as to use short 15 or 16 digit numbers for making financial transactions. it's the same as the stupidity shown with using social security numbers.

Wrong. The bigger issue is why does it matter if someone has the card number in the first place?

Re:The bigger issue is (1)

Anti-Social Network (3032259) | about 4 months ago | (#45676121)

Various black-hat websites have stolen credit card numbers available for sale or (I guess) free to anybody. It might make sense for credit card companies to trawl for these things and see if any of their user's cards are compromised, but they don't seem too interested in that. They'd rather wait until I make a purchase for a big item, decline the transaction, and make me call them when my new NAS fails to ship. I'm lucky if I get an email notification about it in a timely fashion.

Thi isn't a Google bug (0)

Anonymous Coward | about 4 months ago | (#45674931)

It's merely someone getting around a Google feature that protects when other people do something stupid. Not sure how this falls under the same category as XSSI.

Bennett, Please Read... (4, Insightful)

NotSanguine (1917456) | about 4 months ago | (#45674959)

The Elements of Style [amazon.com] . Your ponderous prose is an affront to literacy. Every time I see that you've posted something I wonder if you've finally realized that quantity does not equal quality. You may get paid by the word elsewhere, but not here.

I might even bother to read what you write if you would just, for the sake of all that is good in this world, be concise. ARRRGGGHHH!

Re:Bennett, Please Read... (1)

bennetthaselton (1016233) | about 4 months ago | (#45675081)

What's a paragraph you didn't think was necessary?

Re:Bennett, Please Read... (1)

vux984 (928602) | about 4 months ago | (#45675221)

fwiw, i think the biggest issue is virtually every other article on slashdot is a summary with a link to the article(s) ...(well on a good day in an idealized imagining of how Slashdot works - we're lucky if the summary makes sense, summarizes the acutal article, and provides links to anything remotely agreeing with the summary... but I digress), except your submissions. Which seem to always be a full mufti-page article in place of the usual "summary".

Its off putting; both because it deviates from the norm, and also because it smacks of special treatment -- so we go into your articles already predisposed to want to cause you physical pain... because "oh its a Haselton using slashdot as his personal blog article again"...

Write a 2 paragraph summary and post the full article ... "elsewhere". :p

Re:Bennett, Please Read... (0)

bennetthaselton (1016233) | about 4 months ago | (#45675375)

That's an interesting theory. I thought there were other original content pieces being run, although I never see them.

But surely it's more convenient for the readers to click through to an article on Slashdot than to read the summary here and click through to an article elsewhere. And it also avoids bifurcating the discussion -- otherwise we'd have some people commenting on Slashdot, and some people commenting in the threads on whatever site was hosting the article.

Given the advantages of hosting the content on Slashdot, if readers have a problem because they expect a link to an article that's hosted elsewhere, maybe the problem is with people's expectations? :)

Re:Bennett, Please Read... (0)

Anonymous Coward | about 4 months ago | (#45675769)

No, the problem is you violating norms. I don't know why you get away with it, but I'm not getting into that.

I thought there were other original content pieces being run, although I never see them.

I see that you take it upon faith, without evidence. Why in the name of Gawd's Green Earth would you think that the same thing is happening wrt other people, if you never see it? But really, the GP is right--post it on your blog, bifurcation be damned. This isn't your personal blog. If it's important, someone will RTFA and bring it back here for comment. And, if you want to host on /., we have these things called Journals. Link to it.

Re:Bennett, Please Read... (1)

Anonymous Coward | about 4 months ago | (#45675871)

There are three kinds of longer article on Slashdot:

- Book reviews
- The As from "celebrity" Q+As
- Bennet Haselton opinion pieces

It's a strange mix.

Re:Bennett, Please Read... (1)

vux984 (928602) | about 4 months ago | (#45678629)

I thought there were other original content pieces being run, although I never see them.

So that makes two of who have never seen them.

The only other long form articles I can actually recall seeing are celeb Q&A answers, and book reviews.

But surely it's more convenient for the readers to click through to an article on Slashdot t

Not having a concise 2 paragraph summary makes them unequivocally less convenient for us to decide whether we WANT to read it.

And it also avoids bifurcating the discussion

I'm not convinced this is actually a problem; nor one that can't be solved using a journal page.

if readers have a problem

Then the readers should change?

maybe the problem is with people's expectations? :)

Yeah, you could argue that. You'd be wrong though.

Re:Bennett, Please Read... (1)

NormalVisual (565491) | about 4 months ago | (#45675497)

I'll bite. FTFA:

Gergely sent an email to security@google.com on December 28, 2012 (which he later showed to me), describing the vulnerability in detail. After describing the simple trick, his email stated: "I don't know if this qualifies as a bug bounty bug, but I think it's certainly not in your interest to let these queries through. Using this method one can bypass all your numerical query filters, filters for SSN, TFN, credit cards, maybe DoS prevention and others I can not think of at the moment."

Gergely sent them a follow-up email on August 23, 2013. In both cases he said he received no response except for an auto-reply.


There's really no reason for the last two sentences to be in a separate paragraph, and this is something that is common in the way you write. From The Elements of Style:

"In general, remember that paragraphing calls for a good eye as well as a logical mind. Enormous blocks of print look formidable to readers, who are often reluctant to tackle them. Therefore, breaking long paragraphs in two, even if it is not necessary to do so for sense, meaning, or logical development, is often a visual help. But remember, too, that firing off many short paragraphs in quick succession can be distracting. Paragraph breaks used only for show read like the writing of commerce or of display advertising. Moderation and a sense of order should be the main considerations in paragraphing." (emphasis mine)

Re:Bennett, Please Read... (1)

NotSanguine (1917456) | about 4 months ago | (#45676371)

I'll bite. FTFA: Gergely sent an email to security@google.com on December 28, 2012 (which he later showed to me), describing the vulnerability in detail. After describing the simple trick, his email stated: "I don't know if this qualifies as a bug bounty bug, but I think it's certainly not in your interest to let these queries through. Using this method one can bypass all your numerical query filters, filters for SSN, TFN, credit cards, maybe DoS prevention and others I can not think of at the moment." Gergely sent them a follow-up email on August 23, 2013. In both cases he said he received no response except for an auto-reply. There's really no reason for the last two sentences to be in a separate paragraph, and this is something that is common in the way you write. From The Elements of Style: "In general, remember that paragraphing calls for a good eye as well as a logical mind. Enormous blocks of print look formidable to readers, who are often reluctant to tackle them. Therefore, breaking long paragraphs in two, even if it is not necessary to do so for sense, meaning, or logical development, is often a visual help. But remember, too, that firing off many short paragraphs in quick succession can be distracting. Paragraph breaks used only for show read like the writing of commerce or of display advertising. Moderation and a sense of order should be the main considerations in paragraphing." (emphasis mine)

Thanks for picking that up NormalVisual. You're absolutely correct. I was just going to ignore Mr. Haselton's ridiculous question about paragraphs because it's not really the paragraphing that annoys me.

What really annoys me is the verbosity and lack of semantic content in his prose. I suggested "The Elements of Style" because he clearly isn't going to go away and thought he might learn something about writing clearly and concisely.

Mr. Haselton's posts (IMHO) appear to be written for a general audience, are poorly organized, and are often of dubious (IMHO) intellectual value. Several important aspects to writing engagingly are to know your audience, organize your thoughts coherently, be concise and to have the ideas flow logically. This post fails in all of those respects.

The end result is that the post is dull, hard to read and doesn't draw a picture of the concepts being expressed. Mr. Haselton clearly isn't an idiot, but he appears to be a poor writer of English prose.

If you're going to continue to "gift" us with your thoughts Mr. Haselton, I implore you to at least make an attempt to improve your writing. Should you do so, your posts will likely be much better received and will elicit more on-topic discussion.

As a relevant aside, I don't claim to be a great (or even good) writer. Nonetheless, feel free to critique my writing if you like.

Re:Bennett, Please Read... (1)

bennetthaselton (1016233) | about 4 months ago | (#45676699)

Do you have an example of what you're referring to?

Re:Bennett, Please Read... (1)

NotSanguine (1917456) | about 4 months ago | (#45676825)

Do you have an example of what you're referring to?

Yes. All of your posts.

Re:Bennett, Please Read... (0)

bennetthaselton (1016233) | about 4 months ago | (#45676847)

You're very articulate; now, do you have a specific example of a sentence or paragraph that is evidence of the claims you're making?

Re:Bennett, Please Read... (1)

NotSanguine (1917456) | about 4 months ago | (#45678011)

You're very articulate; now, do you have a specific example of a sentence or paragraph that is evidence of the claims you're making?

I'm not your English tutor. I'm not really interested in getting involved with you or your crappy prose. However, I am an honest and charitable guy so I gave you some constructive criticism. I already made specific comments about what I saw in your current post. If you can't extrapolate from there, I take back what I said about you not being an idiot.

Re:Bennett, Please Read... (0)

bennetthaselton (1016233) | about 4 months ago | (#45678261)

OK, so I'll assume you don't have any specific examples to support the claim that you're making. If you think of one, let me know.

Re:Bennett, Please Read... (1)

bennetthaselton (1016233) | about 4 months ago | (#45676709)

But this "rule" doesn't seem to have any bearing on clear communication. I'm all in favor of rules for writing that improve communication, but what's the point of following a rule that exists just for its own sake?

Re:Bennett, Please Read... (1)

NormalVisual (565491) | about 4 months ago | (#45677807)

I disagree. A paragraph is supposed to convey a single train of thought. When it's broken up into multiple paragraphs, it makes it more difficult to parse since one is expecting that the expressed thought is complete and is expecting something new, but has to rewind a bit. At least that's my opinion, and that of many others as well. It's just bad style.

Re:Bennett, Please Read... (0)

Anonymous Coward | about 4 months ago | (#45675587)

Since you asked...

The entire section on your "Great New Idea" to solve the filtering problem for reported bugs. Here you imagine a reason for why the original bug report was not responded to, then proceed to imagine an imaginary solution to your imaginary problem. At length. It's quite possible that the reason there was no reply was that Google simply thought the bug report was of comparatively little value (you address this at the end). In which case adding interns solves nothing. The solution is for them to email back more.

That whole section was a waste of time IMHO.

Also,

The problem with posting an entire article instead of a summary is that we have to read the whole thing to know what it's about. We don't like to read TFA at the best of times and the summary is there as a lightweight, bite-size, chunky, summary, of what we would have learned had we bothered to click the link. That way we can get on quickly to berating each other in a uncivilised manner.

By posting the entire article in the TFS you're basically giving a big middle finger to the lot of us and holding up the fun.

Incidentally, I think a great solution to all of this would be for Slashdot to hire a bunch of interns to selectively vote on whether each word should be in the submission. If they are 80% accurate then collectively they'll be 99% accurate when there's 10 of them, or something.

Re:Bennett, Please Read... (4, Insightful)

NormalVisual (565491) | about 4 months ago | (#45677915)

What's a paragraph you didn't think was necessary?

Most of them. This article boils down to:

"Google was returning credit card numbers in their search results. I wasn't happy about that, and wrote a blog entry about it. Google then changed their search results a bit to reduce these kinds of search results. A security researcher wrote to me to say that he found there were still ways to get card numbers in the search results. He wrote to Google to tell them about this and got no meaningful response. Fast forward several months - I posted in a Google forum about this issue, quoting the researcher, and a couple of weeks later Google fixed this issue. I'm not happy that neither he nor I got any credit for it or received a reward from the bug bounty program (even though this wasn't a bug and was a personal issue with the search results that were returned from a valid query), because I'm quite sure I'm the one to which they were responding when they "fixed" the query results. Here are some further ideas I have for improving the way these results are computed, and you should pay attention because I'm Bennett Haselton."

So what does everyone think?

Re:Bennett, Please Read... (1)

ColdWetDog (752185) | about 4 months ago | (#45677965)

You're hired.

Now, who are you going to replace? Samzenpus, Timothy, Soulskill, Commander Taco?

Re:Bennett, Please Read... (1)

bennetthaselton (1016233) | about 4 months ago | (#45678251)

This just states the conclusions, without the arguments in support of each conclusion. Of course you can make anything shorter if you just list the conclusion and not the intermediate steps.

For example, saying it's "not a bug" has no supporting argument. I said in the article that since Google decided to block the original number-range searches, that means they had implicitly declared that one of their design goals was to block searches that match lots of credit card numbers. If that's a design goal, then allowing the hex searches is a bug.

Re:Bennett, Please Read... (0)

Anonymous Coward | about 4 months ago | (#45675231)

His lack of writing quality doesn't matter, since his articles are always some overblown nerd rage anyway. I just want a check box to hide them, because I fail to notice his name and when I get part way through the article, I think "What is wrong with this person?"

Regex is cool, but you can still do this... (2)

ilikenwf (1139495) | about 4 months ago | (#45675009)

5 minutes and I made this dork. https://www.google.com/search?q= [google.com] "card+type"+"card+number"+"cvv2"+pastebin&tbs=cdr%3A1%2Ccd_min%3A11%2F1%2F2013%2Ccd_max%3A12%2F12%2F2013

Re:Regex is cool, but you can still do this... (1)

ilikenwf (1139495) | about 4 months ago | (#45675033)

That is to say, CC#'s are out there, but you'd have to be a complete retard to use them for anything. Everyone is being watched, unless you're behind 7 proxies or VPN's or something :)

Re:Regex is cool, but you can still do this... (1)

KiloByte (825081) | about 4 months ago | (#45676795)

You mean, no one thought about automating the 7 proxies trick before?

didn't MSFT just snub a finder the same way? (0)

Anonymous Coward | about 4 months ago | (#45675031)

Didn't Microsoft just snub a finder the same way? The guy who won third place last year in the bluehat bug bounty recently reported an issue in EMET, According to his posts, Big Beige in redmond replied that they were paying a bounty on IE bugs, but for a more serious mitigation bypass in EMET, he got bupkus.
Anyone have more details on this?

Captain Picard! OH SEXY GIRLFRIEND! (-1)

Anonymous Coward | about 4 months ago | (#45675069)

you're so adorable, Picard, no wonder Q courted you for so long before bringing you to the land of goo puddles and psychosis in the fields of grape.

http://imgur.com/gallery/1tBxe [imgur.com]

Uh, how is... (0)

Anonymous Coward | about 4 months ago | (#45675101)

... answering a valid query with a valid result considered a bug?
What if I want to use google to search for card numbers? How is returning a valid result *their* "security defect" if there is no risk to them?
And what moron would consider this to be worthy of a bounty, for chrisakes. What's next, blocking searches of wordpress version strings?

Holy TL;DR, Batman.

Yeah.. Fuck discover. (0)

Anonymous Coward | about 4 months ago | (#45675147)

It's an ok card. But not taken most places. It's getting better. But the quality is going down too.

On the flipside... It's owned by sears.
Who is fucking up right and left with their clueless fund manager ceo who doesn't give 2 shits about the company or brands they own.
My personal gripe is craftsman. Once the goto always reliable tool brand. Now alot of their shit is made in china, crap quality, and they don't even stand behind the full craftsman line the way they used to.

So i wouldn't expect discover quality and service to remain untouched for long.

I don't expect sears to last another decade if things continue the way they are.
Hopefully the good brands such as craftsman can be sold off to someone who will bring the quality back.

But i wouldn't bet on that either.

Re: Yeah.. Fuck discover. (0)

Anonymous Coward | about 4 months ago | (#45677063)

Excellent work!

Not a Security Bug (1)

Luthair (847766) | about 4 months ago | (#45675229)

Sorry, but Google filtering is simply doing everyone a favour by helping mitigate credit card fraud. Users of Google products and services were in no way at risk prior to the filtering change.

Why would they acknowledge this? They don't publically acknowledge people flagging inappropriate images and this falls in the same category.

I don't know if this qualifies as a bug bounty bug (1)

John Bokma (834313) | about 4 months ago | (#45675387)

"I don't know if this qualifies as a bug bounty bug,". If you want the money, don't ask like you're in doubt. You made it too easy to answer it with "no".

Not a bug (1)

wiredlogic (135348) | about 4 months ago | (#45675473)

This is Google's search working as intended: finding stuff on the internet. It isn't their fault that sensitive information is publicly disclosed for an undiscriminating indexer to find.

Security Hole (0)

Anonymous Coward | about 4 months ago | (#45675847)

Way to be sensationalist slashdot: this is not a google Security Hole and the fact that google filters these results has nothing to do with security. These credit cards are already public on the internet, whether one search engine won't show them or not is drawing a pretty absurd conclusion about them.

It is possible Google hasnt changed anything (2)

Wierdy1024 (902573) | about 4 months ago | (#45676007)

Google uses automatic systems to try to detect "abusive" queries. When the system is triggered, you get the message "Our systems have detected unusual traffic from your computer network. Please try your request again later.".

Searching for the same random hex string every day for a week that nobody else in the world has searched for would probably make you stand out from the crowd as some kind of bot. (Bots often use google search looking for random keywords to check for updates to their own code, and the bot-owner can then put the software update anywhere on the internet with the right random keywords and it will be found).

When you have triggered the bot-detect code, it will probably get more sensitive ("look mom, I learned to detect a type of malware, and I'm gonna make sure it never gets through again!").

Hence, I have a suspicion that the entire content of this post could have happened without any interaction on the part of Google Engineers. And if thats the case, they really shouldn't get blamed for screwing over a little guy, but instead praise for making such a smart system that it can detect a little guy doing something evil and block him all automatically.

Re:It is possible Google hasnt changed anything (1)

Savage-Rabbit (308260) | about 4 months ago | (#45676285)

Google uses automatic systems to try to detect "abusive" queries. When the system is triggered, you get the message "Our systems have detected unusual traffic from your computer network. Please try your request again later.".

...and the fun really starts when that system misfires.

This post is a joke (0)

Anonymous Coward | about 4 months ago | (#45676321)

It's not a security hole, its taking advantage of the search function (and very well known too). This is downright stupid, if it was a 'security hole', I'd just submit all of the exploit-db Google queries and become a millionare. You couldn't get what you wanted ($500 in cash) so you wrote a rant about it. It doesn't qualify as a web application flaw, end of story.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...