Computer Science Professor Finds Yelp Leak

A team of computer scientists from Harvard, Yale, and Boston University recently discovered a security leak in the mobile version of Yelp—a popular business review website—that gave site visitors access to a large quantity of reviewers’ personal information, including email addresses, full names, and birth dates.

Georgios Zervas, an affiliate at the Harvard Center for Research on Computation and Society and a Simons Postdoctoral Fellow at Yale, first came across the security bug while browsing Yelp’s mobile website, m.yelp.com.

Normally when accessing a site like Yelp, the user’s phone received information packaged in the JavaScript Object Notation format, and extracted certain fields to be viewed on the mobile device. But due to a flaw in coding, other, non-displayed fields within the data were also easily accessible.

Zervas, looking at information exchanged between his browser and the Yelp server, discovered that he was able to see a large amount of data that is not normally accessible to site visitors.

Zervas immediately shared the information with Harvard Computer Science Professor Michael D. Mitzenmacher and Boston University Computer Science Professor John W. Byers—both of whom served as his PhD advisors. The three still conduct research together on the relationship between social networking and internet economics.

“My very first reaction was to ask for a second opinion from people who are much more experienced than I am,” Zervas said.

According to its blog, Yelp immediately shut down its mobile site upon learning of the leak last week. After fixing the faulty code that caused the problem, engineers combed over the site multiple times looking for other vulnerabilities.

The three agreed that they were somewhat surprised by the security leak, especially given Yelp’s high profile.

“Yelp is a big company—they have an awful lot of user records,” said Byers. “Keeping these records buttoned up is a high priority for them and should be a high priority for anyone who has such a lot of user content on hand.”

Byers added that anyone with a smartphone could stumble upon personal information of Yelp reviewers.

But the security leak could have been much worse had financial information about reviewers been exposed as well, according to Zervas.

“Initially I was surprised, yes, but then I can understand from a technical perspective how something like that can happen,” he said. “They make changes on their website three times a day on average and make those changes live. Human errors are likely and they can happen.”

Mitzenmacher said he was very impressed with Yelp’s response when the three researchers approached the website with their findings.

“They took it seriously,” he said. “To me, it shows a positive university and business interaction that can come about from research and research projects—that that relationship can be friendly and non-adversarial when these sorts of things come up.”

—Staff writer Radhika Jain can be reached at radhikajain@college.harvard.edu.