Computer scientists identify Yelp security leak

November 4, 2011, Harvard School of Engineering and Applied Sciences

Computer scientists at Harvard, Boston University, and Yale stumbled upon a privacy leak in the mobile version of the popular Yelp social networking review site ( in late October.

In the course of their ongoing research, which studies the interplay between social networks and Internet commerce, the team—Michael Mitzenmacher, Gordon McKay Professor of Computer Science at the Harvard School of Engineering and Applied Sciences; John Byers, Associate Professor of Computer Science at Boston University; and Giorgos Zervas, Simons Postdoctoral Fellow at Yale University and an Affiliate at the Center for Research on Computation and Society at Harvard—inadvertently found a servlet on that could reveal some user information that was intended to be private.

Data at risk included certain user-specific fields such as email addresses, birth dates, gender, and full names. Even though no financial information was leaked, the team felt that the exposure of personally identifiable information presented a major threat. After double-checking the finding they alerted Yelp.

The group then worked with the company’s engineers to help them gain a fuller understanding of the problem, which was then resolved with a workaround the very same day.

“Yelp's team responded in an exemplary fashion,” says Mitzenmacher. “After we contacted them, Yelp’s Michael Stoppelman and members of the engineering staff listened to our presentation and description of the vulnerability seriously, and, as they describe in their blog post, took immediate action to correct the problem.”

The researchers also noted Yelp’s willingness to make the issue public to help alert users and to prevent any possible related problems on similar websites.

Mitzenmacher and Byers give full credit to Zervas for identifying the privacy risk. He came across the vulnerability in the course of a case study on Yelp as a site that provides economic information in the form of user-generated reviews.

“As part of our research and data collection, Giorgos [Zervas] was looking at Yelp’s various interfaces, including the mobile web site,” explains Mitzenmacher. “To be clear, he was not ‘hacking’ the site in any way—just interacting with it via a standard browser and normal HTTP requests.”

Zervas, using an HTTP logger (a standard browser tool that allows a user to watch the exchange of data between the browser and the web servers), discovered that when he checked a particular restaurant for reviews and then clicked on the button asking for more reviews, entire reviewer records were leaked in JSON (JavaScript Object Notation) format. Those records contained non-encrypted information such as email addresses, gender, birth dates, and full names.

Ordinary users accessing the site from a mobile device would not have seen such sensitive information, as client-side JavaScript displayed only the non-sensitive information (such as the review text, date, and the reviewer's handle).

In the blog posting, Yelp’s Stoppelman writes that the company engineers “analyzed the servlet’s access logs to see if anyone exploited the hole...[and] did not find any evidence that user information had actually been collected.”

“This example shows the importance of having multiple redundant layers of security when handling personally identifiable ,” says Mitzenmacher. “In the post, they describe the redundancies they have added to prevent such leakage in the future.”

Explore further: Yelp to let businesses comment publicly on reviews

Related Stories

Yelp to let businesses comment publicly on reviews

April 9, 2009

(AP) -- The review Web site Yelp, which has garnered some criticism from the businesses put under its microscope, will soon let those businesses and others respond publicly to customers' critiques.

Yelp to show reviews it automatically filters

April 6, 2010

(AP) -- Yelp, seeking to combat allegations that the online reviews site manipulates its users' feedback on local businesses, will now let visitors see the items that had been automatically removed by software meant to catch ...

Yelp testing 1-day sales of local coupons

August 27, 2010

(AP) -- Review website Yelp said Thursday that it is testing out "Yelp Deals" - large discounts at local businesses that site users can buy on one day only.

Turning reviews into ratings

February 3, 2011

The proliferation of websites such as Yelp and CitySearch has made it easy to find local businesses that meet common search criteria -- moderately priced seafood restaurants, for example, within a quarter-mile of a particular ...

Recommended for you

Researchers find tweeting in cities lower than expected

February 20, 2018

Studying data from Twitter, University of Illinois researchers found that less people tweet per capita from larger cities than in smaller ones, indicating an unexpected trend that has implications in understanding urban pace ...

Augmented reality takes 3-D printing to next level

February 20, 2018

Cornell researchers are taking 3-D printing and 3-D modeling to a new level by using augmented reality (AR) to allow designers to design in physical space while a robotic arm rapidly prints the work.


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.