A screen capture from the the mobile version of Yelp, a site that is now more secure thanks to a joint effort by the company and a team of computer scientists from Harvard, BU, and Yale.
Computer scientists at Harvard, Boston University, and Yale stumbled upon a privacy leak in the mobile version of the popular Yelp social networking review site ( m.yelp.com ) in late October.
In the course of their ongoing research, which studies the interplay between social networks and Internet commerce, the team--Michael Mitzenmacher, Gordon McKay Professor of Computer Science at the Harvard School of Engineering and Applied Sciences; John Byers, Associate Professor of Computer Science at Boston University; and Giorgos Zervas, Simons Postdoctoral Fellow at Yale University and an Affiliate at the Center for Research on Computation and Society at Harvard--inadvertently found a servlet on m.yelp.com that could reveal some user information that was intended to be private.
Data at risk included certain user-specific fields such as email addresses, birth dates, gender, and full names. Even though no financial information was leaked, the team felt that the exposure of personally identifiable information presented a major threat. After double-checking the finding they alerted Yelp.
The group then worked with the company’s engineers to help them gain a fuller understanding of the problem, which was then resolved with a workaround the very same day.
"Yelp’s team responded in an exemplary fashion," says Mitzenmacher. "After we ed them, Yelp’s Michael Stoppelman and members of the engineering staff listened to our presentation and description of the vulnerability seriously, and, as they describe in their blog post , took immediate action to correct the problem."
The researchers also noted Yelp’s willingness to make the issue public to help alert users and to prevent any possible related problems on similar websites.
» Share this page: