It is way too much information to see the Blippy credit card info exposed on Google. Blippy invites users of social networks to tell all of their friends about what they have bought online. VentureBeat reported last Friday that at least one person has figured out how to find Blippy members’ credit card numbers off of Google. A search VentureBeat calls “fairly obvious” returned at least 127 results that included full credit card numbers. The Blippy incident occurred after Blippy announced they had received $11.2 million in instant money and then was posted in the New York Times.
Blippy takes credit card info and gives it to Amazon
Blippy credit card info exposed on Google confirms the worst fears of Blippy skeptics who wonder why anyone would want to accept a Blippy invite to share personal details about online shopping habits. The New York Times profile by Brad Stone reported that Amazon.com blocked the Blippy invite code that had been allowing people share Amazon purchases. The Blippy invite opened last fall and attracted 125,000 visitors in March. In part, it appears that these numbers may have been gotten through sneaking around Amazon by soliciting Blippy members for access to their Gmail accounts and taking the purchase data from e-mailed Amazon receipts.
Backfiring Blippy invite code
When Blippy programmers apparently failed HTML 101, the Blippy credit card info was exposed on Google. Elanor Mills at CNET News reports that the problem grew from an oversight during the company’s beta test months ago. Blippy had no idea that raw credit card data was viewable in the HTML source of its pages. The Google cache still shows the data although the data was removed. Blippy co-founder Philip Kaplan told Mills that “Unfortunately, the incident was from early in our testing phase when we were just beginning to develop Blippy. We are working hard to bolster our security and make sure it’s stronger, including getting third-party audits from security experts and other measures to make sure this doesn’t happen again.”
Is Blippy an identity theft engine?
Blippy users actually link their credit cards to the Blippy site. When people link their credit cards to Blippy, merchants pass along their raw transaction data – including credit card numbers. Blippy claims to delete all data except the merchant and money spent. VentureBeat reporters determined that the Blippy credit card info exposed on Google are Citibank-issued MasterCard numbers. These 127 unfortunate Blippy users, and perhaps the whole naive bunch of them, appear to be sitting ducks for identity thieves ready to steal their money now.
Article Sources
VentureBeat
http://venturebeat.com/2010/04/23/blippy-credit-card-citibank/
The New York Times profile by Brad Stone
http://www.nytimes.com/2010/04/23/technology/23share.html?src=busln&scp=2&sq=Blippy&st=cse
Elanor Mills at CNET News
http://news.cnet.com/8301-27080_3-20003283-245.html
