Computer scientists identify Yelp security leak

Nov 04, 2011

Computer scientists at Harvard, Boston University, and Yale stumbled upon a privacy leak in the mobile version of the popular Yelp social networking review site (m.yelp.com) in late October.

In the course of their ongoing research, which studies the interplay between social networks and Internet commerce, the team—Michael Mitzenmacher, Gordon McKay Professor of Computer Science at the Harvard School of Engineering and Applied Sciences; John Byers, Associate Professor of Computer Science at Boston University; and Giorgos Zervas, Simons Postdoctoral Fellow at Yale University and an Affiliate at the Center for Research on Computation and Society at Harvard—inadvertently found a servlet on m.yelp.com that could reveal some user information that was intended to be private.

Data at risk included certain user-specific fields such as email addresses, birth dates, gender, and full names. Even though no financial information was leaked, the team felt that the exposure of personally identifiable information presented a major threat. After double-checking the finding they alerted Yelp.

The group then worked with the company’s engineers to help them gain a fuller understanding of the problem, which was then resolved with a workaround the very same day.

“Yelp's team responded in an exemplary fashion,” says Mitzenmacher. “After we contacted them, Yelp’s Michael Stoppelman and members of the engineering staff listened to our presentation and description of the vulnerability seriously, and, as they describe in their blog post, took immediate action to correct the problem.”

The researchers also noted Yelp’s willingness to make the issue public to help alert users and to prevent any possible related problems on similar websites.

Mitzenmacher and Byers give full credit to Zervas for identifying the privacy risk. He came across the vulnerability in the course of a case study on Yelp as a site that provides economic information in the form of user-generated reviews.

“As part of our research and data collection, Giorgos [Zervas] was looking at Yelp’s various interfaces, including the mobile web site,” explains Mitzenmacher. “To be clear, he was not ‘hacking’ the site in any way—just interacting with it via a standard browser and normal HTTP requests.”

Zervas, using an HTTP logger (a standard browser tool that allows a user to watch the exchange of data between the browser and the web servers), discovered that when he checked a particular restaurant for reviews and then clicked on the button asking for more reviews, entire reviewer records were leaked in JSON (JavaScript Object Notation) format. Those records contained non-encrypted information such as email addresses, gender, birth dates, and full names.

Ordinary users accessing the site from a mobile device would not have seen such sensitive information, as client-side JavaScript displayed only the non-sensitive information (such as the review text, date, and the reviewer's handle).

In the blog posting, Yelp’s Stoppelman writes that the company engineers “analyzed the servlet’s access logs to see if anyone exploited the hole...[and] did not find any evidence that user information had actually been collected.”

“This example shows the importance of having multiple redundant layers of security when handling personally identifiable ,” says Mitzenmacher. “In the post, they describe the redundancies they have added to prevent such leakage in the future.”

Explore further: Google searches hold key to future market crashes

Provided by Harvard School of Engineering and Applied Sciences

not rated yet
add to favorites email to friend print save as pdf

Related Stories

Yelp to let businesses comment publicly on reviews

Apr 09, 2009

(AP) -- The review Web site Yelp, which has garnered some criticism from the businesses put under its microscope, will soon let those businesses and others respond publicly to customers' critiques.

Yelp to show reviews it automatically filters

Apr 06, 2010

(AP) -- Yelp, seeking to combat allegations that the online reviews site manipulates its users' feedback on local businesses, will now let visitors see the items that had been automatically removed by software meant to catch ...

Yelp testing 1-day sales of local coupons

Aug 27, 2010

(AP) -- Review website Yelp said Thursday that it is testing out "Yelp Deals" - large discounts at local businesses that site users can buy on one day only.

Turning reviews into ratings

Feb 03, 2011

The proliferation of websites such as Yelp and CitySearch has made it easy to find local businesses that meet common search criteria -- moderately priced seafood restaurants, for example, within a quarter-mile ...

Recommended for you

Google searches hold key to future market crashes

9 hours ago

A team of researchers from Warwick Business School and Boston University have developed a method to automatically identify topics that people search for on Google before subsequent stock market falls.

User comments : 0