[Fixed] – A critical privacy issue on Couchsurfing.com

(Last Updated On: 17 September 2021)
The problem described in this article is now fixed by Couchsurfing.com technical team. If you do have a Couchsurfing account, there is nothing to worry about anymore.
Une version française est disponible : ici.
TL;DR
After clicking on a “Download Data” button on Couchsurfing.com, your data is exported to a .json file. In this .json, and before the fix, you could see addresses of hosts contacted for previous hosting requests. In the cases hosts had given full address information to Couchsurfing.com (Address verification, or during account creation), this .json file contained the street name and number of those hosts. It doesn’t matter if the host didn’t reply, declined or accepted your couch requests.

What is Couchsurfing.com ?

A trendy website

Couchsurfing.com is the main website to experiment couch-surfing. It connects travelers around the world and helps to find a free accommodation. Yes, free. A kind host is giving away a couch, a spare bedroom or an inflatable mattress and asks nothing in exchange. For the traveler, it is recommended and appreciated to participate in the host’s everyday tasks by cooking, cleaning, and/or bring presents and enjoy activities together.

Couchsurfing.com logo

From the traveler’s point of view, it allows to find a free temporary accommodation and befriend with a local who can help you to find the best deals and tricks around.

For the host, it is a perfect opportunity to offer simple hospitality, meet strangers from the whole world, reach perfection in a second language by inviting a Japanese couch-surfer, discover new recipes, being hosted back, or simply share some good times.

A traveler-host relationship built on trust

Hosting for free an unknown person looks terrifying at first glance. Some testimonies share a bad or even traumatic past experience 12. To make things more secure, Couchsurfing.com sets up a system of public profile, photos, reviews and recommendations. For example, verification using credit card with a one-off fee supports the service and proves a geographic location of payment. One can also use phone number verification, ID verification and postal address. Probably enough to reassure some users.

Your address in stranger’s files

Up to last week (issue was fixed from 21 to 27 October 2019), if you provided a full postal address on the website, anyone who sent you a hosting request and downloaded their data had access to it.

Couchsurfing set up a button to export data from your account. To find this button, you must go to Settings -> Account and Settings -> Privacy -> Data Settings -> Download Data.

After clicking on this button, your data is exported to a .json file if you wish to use it with another service. In this .json, and before the hotfix, any other couch-surfer could see in this file the full postal address of any host previously contacted when looking for a couch. Not only the street number and street name were given, but also accurate GPS coordinates.

In 4 simple steps, this was the possible threat model:

  1. Both the attacker (Bob) and the victim (Alice) need to have a Couchsurfing account. We assume that Alice gave details of her full address on Couchsurfing. Bob or any other couch-surfer can only see that Alice lives in Bruxelles, Belgium.
  2. Bob needs to make a host request to Alice. Alice refuses Bob’s request by clicking the appropriate button. Bob gets notified from the refusal.
  3. Bob goes to his personal account settings and downloads his data, which is exported in a .json file. This file is updated every thirty days. Bob looks for the formatted_address attribute. He obtains a postal address and GPS coordinates in decimal format of Alice’s full address.
  4. Bob can go to Alice’s place and threat her, insist on her hosting him, planning to break into her house because she said she was busy and probably outside…
Possible threat model before Couchsurfing’s hotfix

Context

Since the General Data Protection Regulation (GDPR) is effective in Europe – the same GDPR that pushes websites to display the “Accept cookies ?” notices everywhere -, services you use have to provide you a copy of the data they host from your account.

Since Couchsurfing offers its services in Europe, the platform must comply with GDPR regulation. If they don’t, they can be exposed to (heavy) fines 3.

For example, to comply with Chapter 3, Section 3, Article 20 of this GDPR, “Right to data portability”, Couchsurfing set up this “Download Data” button to export data from your account.

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided […] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

In this case it demonstrates a very interesting counter-effect of the measure: by setting up means to protect data and comply with GDPR, Couchsurfing’s adaptation to the legislation was a failure with the download button and the addresses it could possibly reveal.

Who gives a full address to Couchsurfing.com?

I made 61 host requests across Europe. I was able to get 27 full addresses from my .json file (40%+ ratio). The worst part is that most of them came from people who declined my request or didn’t answer. There is probably a cultural difference based on your country of origin. I made 5 couch requests in Leuven, Belgium and was able to retrieve the full address of… those five users.

5 host addresses with street number and street name.

Couchsurfing has now more than 12 million members 4. If we assume the full address ratio (40%+) holds for all CS users, this issue could allow a malicious user to retrieve about more than 4 million addresses worldwide.

To make unlimited host request, payment verification is needed (54 euros in 2018). Accounts without this verification are limited to 10 host request each week.

A skilled and malicious user using a “payment verified” account could have written a script and send thousands of automated host request, build a database with a name, sometimes last name AND a complete postal address. This malicious user could then sell this database to criminal networks (burglary…)

Fortunately, Couchsurfing fixed the issue within days.

To protect the privacy of hosts I contacted, I am no longer in the possession of the .json file used to discover the vulnerability.

Credits

Icons in the infography have been made by Freepik and Vectors Market on www.flaticon.com (basic license).
Couchsurfing.com is NOT affiliated to this website. Their logos displayed here are only used in the scope of an academic work and more particularly a Privacy Impact Assessment on Couchsurfing.com

Acknowledgments

Thanks to G. Acar et C. Diaz for their precious help regarding guidelines to make a Responsible disclosure and their help for the redaction of this document.

For any complaints, please use the contact form.

Sources

  1. Creeped Out by Couchsurfing, Jennifer Katanyoutanant, 19/05/2014, https://narratively.com/creeped-out-by-couchsurfing/
  2. Traveller website rapist jailed, BBC NEWS, 29/10/2019, http://news.bbc.co.uk/2/hi/uk_news/england/west_yorkshire/8332140.stm
  3. Fines and Penalties, https://www.gdpreu.org/compliance/fines-and-penalties/
  4. About | Couchsurfing https://www.couchsurfing.com/about/about-us/