It is way too much information to see the Blippy credit card info exposed on Google. Blippy invites users of social networks to tell all of their friends about what they have bought online. VentureBeat reported last Friday that at least one person has figured out how to find Blippy members’ credit card numbers off of Google. A search VentureBeat calls “fairly obvious” returned 127 results that included full credit card numbers of many different people. The Blippy incident occurred after Blippy announced they had received $11.2 million in instant money and then was posted in the New York Times.
Blippy sneaks credit card info from Amazon
The Blippy credit card info being exposed on Google just confirms the fears that Blippy skeptics have as to why anyone would accept a Blippy invite just to share personal information about shopping habits. The New York Times profile by Brad Stone reported that Amazon.com blocked all Blippy invite code that was allowing people share Amazon purchases. The Blippy invite opened last fall and attracted 125,000 visitors in March. These numbers may have been achieved; in part it appears, through sneaking around Amazon by soliciting Blippy members for access to their Gmail accounts and taking the purchase data from e-mailed Amazon receipts.
Backfiring Blippy invite code
Blippy credit card info was exposed on Google when Blippy programmers apparently flunked HTML 101. Elanor Mills at CNET News reports that the problem began with an oversight during the company’s beta test months ago. Blippy didn’t know that raw credit card data was viewable in the HTML source of its page. The data was removed, but for some reason it still shows up in the Google cache. Blippy co-founder Philip Kaplan told Mills that “Unfortunately, the incident was from early in our testing phase when we were just beginning to develop Blippy. We are working hard to bolster our security and make sure it’s stronger, including getting third-party audits from security experts and other measures to make sure this doesn’t happen again.”
Is Identy stolen with Blippy?
Those who use Blippy will actually link their credit cards to the website. With linked credit cards, merchants pass raw date to Blippy including credit card numbers. Blippy claims to delete all data except the merchant and money spent. The Blippy credit card info exposed on Google are all Citibank issued Mastercard numbers according to VentureBeat reporters. These 127 Blippy users, and maybe the whole naive bunch of them, appear to be sitting ducks for identity thieves that are ready to steal their money now.
Resources
VentureBeat
http://venturebeat.com/2010/04/23/blippy-credit-card-citibank/
The New York Times profile by Brad Stone
http://www.nytimes.com/2010/04/23/technology/23share.html?src=busln&scp=2&sq=Blippy&st=cse
Elanor Mills at CNET News
http://news.cnet.com/8301-27080_3-20003283-245.html
