Computer scientists identify Yelp security leak

November 4, 2011

Computer scientists at Harvard, Boston University, and Yale stumbled upon a privacy leak in the mobile version of the popular Yelp social networking review site ( in late October.

In the course of their ongoing research, which studies the interplay between social networks and Internet commerce, the team—Michael Mitzenmacher, Gordon McKay Professor of Computer Science at the Harvard School of Engineering and Applied Sciences; John Byers, Associate Professor of Computer Science at Boston University; and Giorgos Zervas, Simons Postdoctoral Fellow at Yale University and an Affiliate at the Center for Research on Computation and Society at Harvard—inadvertently found a servlet on that could reveal some user information that was intended to be private.

Data at risk included certain user-specific fields such as email addresses, birth dates, gender, and full names. Even though no financial information was leaked, the team felt that the exposure of personally identifiable information presented a major threat. After double-checking the finding they alerted Yelp.

The group then worked with the company’s engineers to help them gain a fuller understanding of the problem, which was then resolved with a workaround the very same day.

“Yelp's team responded in an exemplary fashion,” says Mitzenmacher. “After we contacted them, Yelp’s Michael Stoppelman and members of the engineering staff listened to our presentation and description of the vulnerability seriously, and, as they describe in their blog post, took immediate action to correct the problem.”

The researchers also noted Yelp’s willingness to make the issue public to help alert users and to prevent any possible related problems on similar websites.

Mitzenmacher and Byers give full credit to Zervas for identifying the privacy risk. He came across the vulnerability in the course of a case study on Yelp as a site that provides economic information in the form of user-generated reviews.

“As part of our research and data collection, Giorgos [Zervas] was looking at Yelp’s various interfaces, including the mobile web site,” explains Mitzenmacher. “To be clear, he was not ‘hacking’ the site in any way—just interacting with it via a standard browser and normal HTTP requests.”

Zervas, using an HTTP logger (a standard browser tool that allows a user to watch the exchange of data between the browser and the web servers), discovered that when he checked a particular restaurant for reviews and then clicked on the button asking for more reviews, entire reviewer records were leaked in JSON (JavaScript Object Notation) format. Those records contained non-encrypted information such as email addresses, gender, birth dates, and full names.

Ordinary users accessing the site from a mobile device would not have seen such sensitive information, as client-side JavaScript displayed only the non-sensitive information (such as the review text, date, and the reviewer's handle).

In the blog posting, Yelp’s Stoppelman writes that the company engineers “analyzed the servlet’s access logs to see if anyone exploited the hole...[and] did not find any evidence that user information had actually been collected.”

“This example shows the importance of having multiple redundant layers of security when handling personally identifiable ,” says Mitzenmacher. “In the post, they describe the redundancies they have added to prevent such leakage in the future.”

Explore further: Yelp to let businesses comment publicly on reviews

Related Stories

Yelp to let businesses comment publicly on reviews

April 9, 2009

(AP) -- The review Web site Yelp, which has garnered some criticism from the businesses put under its microscope, will soon let those businesses and others respond publicly to customers' critiques.

Yelp to show reviews it automatically filters

April 6, 2010

(AP) -- Yelp, seeking to combat allegations that the online reviews site manipulates its users' feedback on local businesses, will now let visitors see the items that had been automatically removed by software meant to catch ...

Yelp testing 1-day sales of local coupons

August 27, 2010

(AP) -- Review website Yelp said Thursday that it is testing out "Yelp Deals" - large discounts at local businesses that site users can buy on one day only.

Turning reviews into ratings

February 3, 2011

The proliferation of websites such as Yelp and CitySearch has made it easy to find local businesses that meet common search criteria -- moderately priced seafood restaurants, for example, within a quarter-mile of a particular ...

Recommended for you

Swiss unveil stratospheric solar plane

December 7, 2016

Just months after two Swiss pilots completed a historic round-the-world trip in a Sun-powered plane, another Swiss adventurer on Wednesday unveiled a solar plane aimed at reaching the stratosphere.

Wall-jumping robot is most vertically agile ever built

December 6, 2016

Roboticists at UC Berkeley have designed a small robot that can leap into the air and then spring off a wall, or perform multiple vertical jumps in a row, resulting in the highest robotic vertical jumping agility ever recorded. ...

Solar panels repay their energy 'debt': study

December 6, 2016

The climate-friendly electricity generated by solar panels in the past 40 years has all but cancelled out the polluting energy used to produce them, a study said Tuesday.


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.