Yelp, the popular business listing and review website, is indebted to a BU computer scientist and his colleagues, who uncovered a privacy leak on its site last month. Yelp says it worked with the researchers to plug the leak before prying eyes glimpsed confidential information.
“Our estimate is that the size of the compromise potentially ran into the scale of millions of user records,” says John Byers (pictured below), a College of Arts & Sciences associate professor of computer science, who discovered the potential breach with colleagues at Harvard and Yale.
Claiming 63 million visitors this past August alone, Yelp has become the dominant review site in big cities, to the point that Google tried to buy it last year. Byers’ research team contacted the website October 27 about the security problem. It arose, he says, because Yelp warehoused sensitive user information in a spot that was open to web servers (servlets) “that respond to everyday user queries, such as for reviews of a local merchant.” Instead of merely forwarding the reviews, the servlet in question forwarded additional data about the reviewer, Byers says, including birthdate, email address, phone number, and even proprietary information that Yelp uses to rate its users.
“No financially sensitive information was exposed,” Yelp says in a blog post about the incident. “We analyzed the servlet’s access logs to see if anyone exploited the hole, but we did not find any evidence that user information had actually been collected.”
The post says that Yelp shut down its mobile phone site, which suffered the breach. The breach was fixed within an hour, but the site remained down for another 12 hours while Yelp checked for any additional problems. Yelp also created an automated system that will detect when sensitive information is being sent to clients, the blog post says. “We felt comfortable that the risk of a future exposure of this type had been mitigated,” it says.
“They were exceptionally responsive,” Byers says of Yelp. He and his colleagues—Harvard’s Michael Mitzenmacher and Yale’s Georgios Zervas (GRS’11)—were not collaborating with Yelp, but rather independently studying the site and several others. Such sites “provide an interesting case study as a social network that provides economic information in the form of reviews,” Mitzenmacher writes on his blog.
Yelp’s own post thanks the researchers for their “diligence in finding and notifying us about this important problem; their thoughtful handling of a sensitive and tricky security situation is commendable.”
This is not the first time that Byers, a member of BU’s Rafik B. Hariri Institute for Computing and Computational Science & Engineering, has made news studying an internet leader. He and his team released a study recently that questions whether Groupon is a good deal for businesses offering customer discounts through the online deal site. The study notes that discounts lead to new customers, but those people might then write negative reviews of the business—on Yelp.
Byers “epitomizes the qualities that the institute is striving to cultivate and nurture,” says Azer Bestavros, founding director of the Hariri institute and a CAS computer science professor. “His research crosses computer science with other disciplines, which have not been traditionally seen as computational—in this case, social science disciplines such as economics and management.”