Blippy, a social networking site that allows users to share their purchases and discuss shopping with others, will revamp its security plans and hire a Chief Security Officer after an embarrassing incident in which the site accidentally published a few of its members' credit card numbers on Google. (CSO first reported concerns about Blippy in ShmooCon: Inside Farmville's Sinister Underbelly.)
Blippy Co-founder and CEO Ashvin Kumar said in a blog post this week that the slip-up occurred as a result of a technical oversight back in February that caused raw transaction data to appear within the HTML code on some Blippy pages for about half a day.
"Up until that day in early February, based on the raw transaction data we had observed during our beta period, we incorrectly considered raw data fairly harmless," said Kumar. "As we have always strived to be highly attentive to potential security and privacy problems, we quickly patched the issue and took extra precautions to never ever expose raw transaction data again."
Also see Social Media Risks: The Basics on CSOonline.com
However, according to Kumar, Blippy officials failed to realize until recently that in that half-day period of exposure, Google had crawled and indexed a portion of Blippy' pages. Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index.
"Google effectively took a snapshot of Blippy during that half day period," explained Kumar in the post. "Though our site has changed considerably since early February, Google's snapshot of these pages did not update, which effectively extended a half day exposure into a three month exposure. While Google provides webmasters with tools to remove pages from its index, we overlooked the fact that Blippy could have been crawled by Google during the period of the exposure."
Kumar said Blippy executives have hammered out a security plan that aims to prevent further security missteps. It includes hiring a Chief Security Officer and associated staff that will focus solely on issues relating to information security. Blippy will also undergo regular 3rd-party infrastructure and application security audits and create a security and privacy center, in addition to other measures included in the plan.
In February, CSO reported that presenters at ShmooCon noted that penetration testers love Blippy because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: "I joined Blippy and all I got was jacked at the ATM."
In 10 Security Reasons to Quit Facebook, CSO spoke with several security experts who noted that social networks like Blippy put privacy at peril and make users an easy target for social engineering attacks and other crimes.