[Fixed] – A critical privacy issue on Couchsurfing.com

What is Couchsurfing.com ?

A trendy website

Couchsurfing.com is the main website to experiment couch-surfing. It connects travelers around the world and helps to find a free accommodation. Yes, free. A kind host is giving away a couch, a spare bedroom or an inflatable mattress and asks nothing in exchange. For the traveler, it is recommended and appreciated to participate in the host’s everyday tasks by cooking, cleaning, and/or bring presents and enjoy activities together.

From the traveler’s point of view, it allows to find a free temporary accommodation and befriend with a local who can help you to find the best deals and tricks around.

For the host, it is a perfect opportunity to offer simple hospitality, meet strangers from the whole world, reach perfection in a second language by inviting a Japanese couch-surfer, discover new recipes, being hosted back, or simply share some good times.

A traveler-host relationship built on trust

Hosting for free an unknown person looks terrifying at first glance. Some testimonies share a bad or even traumatic past experience ¹². To make things more secure, Couchsurfing.com sets up a system of public profile, photos, reviews and recommendations. For example, verification using credit card with a one-off fee supports the service and proves a geographic location of payment. One can also use phone number verification, ID verification and postal address. Probably enough to reassure some users.

Your address in stranger’s files

Up to last week (issue was fixed from 21 to 27 October 2019), if you provided a full postal address on the website, anyone who sent you a hosting request and downloaded their data had access to it.

Couchsurfing set up a button to export data from your account. To find this button, you must go to Settings -> Account and Settings -> Privacy -> Data Settings -> Download Data.

After clicking on this button, your data is exported to a .json file if you wish to use it with another service. In this .json, and before the hotfix, any other couch-surfer could see in this file the full postal address of any host previously contacted when looking for a couch. Not only the street number and street name were given, but also accurate GPS coordinates.

In 4 simple steps, this was the possible threat model:

1. Both the attacker (Bob) and the victim (Alice) need to have a Couchsurfing account. We assume that Alice gave details of her full address on Couchsurfing. Bob or any other couch-surfer can only see that Alice lives in Bruxelles, Belgium.
2. Bob needs to make a host request to Alice. Alice refuses Bob’s request by clicking the appropriate button. Bob gets notified from the refusal.
3. Bob goes to his personal account settings and downloads his data, which is exported in a .json file. This file is updated every thirty days. Bob looks for the formatted_address attribute. He obtains a postal address and GPS coordinates in decimal format of Alice’s full address.
4. Bob can go to Alice’s place and threat her, insist on her hosting him, planning to break into her house because she said she was busy and probably outside…

Context

Since the General Data Protection Regulation (GDPR) is effective in Europe – the same GDPR that pushes websites to display the “Accept cookies ?” notices everywhere -, services you use have to provide you a copy of the data they host from your account.

Since Couchsurfing offers its services in Europe, the platform must comply with GDPR regulation. If they don’t, they can be exposed to (heavy) fines ³.

For example, to comply with Chapter 3, Section 3, Article 20 of this GDPR, “Right to data portability”, Couchsurfing set up this “Download Data” button to export data from your account.

In this case it demonstrates a very interesting counter-effect of the measure: by setting up means to protect data and comply with GDPR, Couchsurfing’s adaptation to the legislation was a failure with the download button and the addresses it could possibly reveal.

Who gives a full address to Couchsurfing.com?

I made 61 host requests across Europe. I was able to get 27 full addresses from my .json file (40%+ ratio). The worst part is that most of them came from people who declined my request or didn’t answer. There is probably a cultural difference based on your country of origin. I made 5 couch requests in Leuven, Belgium and was able to retrieve the full address of… those five users.

Couchsurfing has now more than 12 million members ⁴. If we assume the full address ratio (40%+) holds for all CS users, this issue could allow a malicious user to retrieve about more than 4 million addresses worldwide.

A skilled and malicious user using a “payment verified” account could have written a script and send thousands of automated host request, build a database with a name, sometimes last name AND a complete postal address. This malicious user could then sell this database to criminal networks (burglary…)

Fortunately, Couchsurfing fixed the issue within days.

To protect the privacy of hosts I contacted, I am no longer in the possession of the .json file used to discover the vulnerability.

Credits

Icons in the infography have been made by Freepik and Vectors Market on www.flaticon.com (basic license).
Couchsurfing.com is NOT affiliated to this website. Their logos displayed here are only used in the scope of an academic work and more particularly a Privacy Impact Assessment on Couchsurfing.com

Acknowledgments

Thanks to G. Acar et C. Diaz for their precious help regarding guidelines to make a Responsible disclosure and their help for the redaction of this document.

For any complaints, please use the contact form.

1. Creeped Out by Couchsurfing, Jennifer Katanyoutanant, 19/05/2014, https://narratively.com/creeped-out-by-couchsurfing/
2. Traveller website rapist jailed, BBC NEWS, 29/10/2019, http://news.bbc.co.uk/2/hi/uk_news/england/west_yorkshire/8332140.stm
3. Fines and Penalties, https://www.gdpreu.org/compliance/fines-and-penalties/
4. About | Couchsurfing https://www.couchsurfing.com/about/about-us/