Slashdot Mirror

← Back to Stories (view on slashdot.org)

Couchsurfing Hacked, Sends Airbnb Prank Spam

Posted by timothy on from the or-we'll-shoot-this-dog dept.

Slashdot regular (and Couchsurfing.org volunteer) Bennett Haselton writes with a report that an anonymous prankster hacked the Couchsurfing.org website and sent spam to about 1 million members, snarkily advertising their commercial arch-rival Airbnb as "the new Couchsurfing." (Read on below for more on the breach.) As of now, the spam's been caught, but not the spammer.

I've been a volunteer host on Couchsurfing.org for 16 months. Despite the ongoing controversies surrounding the site's changes in recent years, I've always found it to be a great way to meet travelers with fascinating stories and to make new friends, not to mention a way to force a deadline upon yourself to clean up your house before the next guest arrives.

On August 15, I received an email sent from "Couchsurfing <noreply@couchsurfing.org>" with the subject "Site Improvements", which read:

Hi!

We have some exciting news. Find out more about the new CouchSurfing here.

The CouchSurfing team

but the hyperlink on the word "here" did nothing when I clicked on it. So I looked at the HTML source code of the message and saw that the source code of the link was: We have some exciting news. Find out more about the new CouchSu= rfing <a href=3D=E2=80=9Chttps://www.airbnb.com/signup_login=E2=80=9D> her= e </a>.

So... the email from Couchsurfing was promoting a link to their commercial arch-rival, Airbnb.

At that point I assume the message was spam that had been sent from some third-party server and simply forged a return address from couchsurfing.org, but the message headers clearly showed that the message really had been sent from Couchsurfing: Received: from messaging3.couchsurfing.com (messaging3.couchsurfing.com. [54.236.187.135]) by mx.google.com with ESMTP id v7si15118226qay.99.2014.08.15.21.30.16 for <bennetthaselton@gmail.com>; The complete message headers and message source are here.

I sent a message to Couchsurfing tech support asking if they knew what had happened, and I started a thread on the Seattle Couchsurfing page, where several other users chimed in that they had received the same email. Couchsurfing support replied to me on August 18th:

Hello Bennett,

Thanks for your patience while we have been looking into this. As you saw yourself, some Couchsurfing members received an email in error on Friday night -- we apologize.

The part of Couchsurfing’s system that sends email to members was breached Friday night and an email was sent to approximately 1 million members. We take this very seriously, and we will continue to investigate and take all appropriate action until this situation is resolved.

There is no action you need to take to secure your account. Once we have further information, we will be sure to send out updates.

Warm Regards,

Then on August 19th, I received an email from Couchsurfing (presumably along with all or most other Couchsurfing users) with the subject "Incorrect email -- our apologies":

Dear Bennett Haselton:

We're writing because you may have received an odd email from Couchsurfing in the last few days titled "Site Improvements."

We apologize for any confusion this may have caused -- it should not have been sent.

-- The Couchsurfing Team

Want more details? Find them here

where the "here" link further explains: "The message was sent by an unauthorized user of our email system. No other systems were compromised, and we've addressed the circumstances that led to this unauthorized use."

So, kudos to Couchsurfing for at least alerting users that something had gone wrong. (Judging from the reactions in the thread that I started, most users who received the email simply deleted it without a second thought after seeing that the link didn't work, so Couchsurfing probably could have said nothing to their users at all, and gotten away with it. As of this writing, a Google News search for "couchsurfing hacked" turns up no other articles about the incident, so it's not as if there was a mob clamoring for answers that they had to respond to.)

On the other hand, I hope Couchsurfing is more forthcoming in the next few days about how much they know about what actually happened. When they say "We've addressed the circumstances that led to this unauthorized use," that probably means that they at least know whether the email was sent by (a) a disgruntled employee (or recently fired employee whose credentials still enabled them to access the server); or (b) someone who used an unpatched security hole to break in from the outside; or (c) something else. (I replied to the tech support ticket asking as much, but as of this writing I have not received a reply. I wasn't naive enough to think that they were probably going to tell me everything they knew, but it's one of those rituals that quasi-journalists engage in so that we can say "as of this writing I have not received a reply".)

Obviously I think it's unlikely that anyone at the real Airbnb would actually risk jail time by hacking Couchsurfing's servers to send out spam advertising the Airbnb website; it seems more like the actions of someone being snarky, possibly a former employee or an outsider with an axe to grind. Couchsurfing's apology email said "Once we have further information, we will be sure to send out updates." Hope so.

44 comments

  1. YAAAWWWNNN by Anonymous Coward · · Score: 1

    Ehhyeahh...hmm? What?

  2. You Can Tell Bennett Didn't Write It by Anonymous Coward · · Score: 4, Funny

    Because it wasn't 1,000 words long.

    1. Re:You Can Tell Bennett Didn't Write It by Dragonslicer · · Score: 0

      As soon as I saw "Bennett", I immediately scrolled the browser window to about 3/4 down the page. I was shocked to find that the comments started only about 1/4 down the page.

  3. spam by Anonymous Coward · · Score: 4, Funny

    The irony of Bennett complaining about spamming is not lost on me.

    1. Re:spam by BitZtream · · Score: 4, Insightful

      Everytime he posts the only thought that comes to mind is ...

      OMG I DO NOT FUCKING CARE WHAT THIS IGNORANT MORON THINKS ABOUT THINGS HE UTTERLY FAILS TO UNDERSTAND IN EVERY WAY.

      This no different than every other instance. He's a moron who thinks people care what he has to say and thinks he actually knows what he's talking about. He's the worst kind of ignorant, too stupid to realize how ignorant he is.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    2. Re:spam by BitZtream · · Score: 1

      I should also point out how he blindly clicked on a link in an email that should have set off red flags the instant he saw it.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    3. Re:spam by Anonymous Coward · · Score: 0

      Bennett, forever the clueless grandfather of slashdot. I think it would be oddly fitting to make him the mascot of the site.

      You should check out soylentnews.org. Bennett free AND as of a few days ago, it supports UTF-8. Slashdot sucks.

    4. Re:spam by Anonymous Coward · · Score: 0

      I don't care about what Bennett has to say, but I read the Slashdot comments every day for BitZtream's words of wisdom. He, for one, knows exactly what he's talking about.

  4. I have no idea what these sites are for... by TWX · · Score: 1

    ...and that means that their petty squabbles don't really affect me very much.

    It seems like most "new" things are just reimplementations of existing things. We haven't had something revolutionary on a software front in a long time.

    I expect that most technological revolution will be hardware-based for the next while and software will follow as a necessity, not as the driving force. Computing devices become wearable and less obvious (no more hulking PCs, that sort of thing) and eventually maybe the software will give us nonvisual UI, as a necessary component of shrinking and ubiquitousness.

    --
    Do not look into laser with remaining eye.
  5. The horror of winding up on Bennett's couch by timrod · · Score: 4, Funny

    I can't even think of how scary it must be to wind up on Bennett's couch. I can imagine a naïve traveller opening Bennett's door, finding no one there and deciding to make themselves at home.. only to hear the door slam and lock behind them. That's Bennett preparing to move in for the kill - but he won't do it yet, oh no, that would be too soon. He'll lie in wait until the traveller is at their most vulnerable, just when they've turned the lights off to sleep, wondering where the host is.. and that's when he springs out with a satanic, blood-curdling cry of "Hey, want to hear my thoughts on cellphone tethering and data plans?"

    The police will find the gibbering husk of what used to be a man huddled in a pile of trash in an alley a mile down the road, slowly rocking back and forth, chanting the same four words over and over: "He.. doesn't.. shut..up.."

    1. Re:The horror of winding up on Bennett's couch by Dragonslicer · · Score: 0

      Coming Summer 2015 to a theater near you...

  6. Tune in tomorrow by XanC · · Score: 1, Funny

    There's more to come in the exciting adventures of Bennett Haselton!

    1. Re:Tune in tomorrow by Anonymous Coward · · Score: 0

      featuring Timmy, the Moon Monkey

  7. Injecting himself into an unrelated story again by Anonymous Coward · · Score: 0

    Bennett has once again managed to inject constant, irrelevant references to himself into a story that has nothing to do with him.

  8. Disappointment by Anonymous Coward · · Score: 0

    "Wow, Bennett Haselton submitted a short and concise story concerning an actual event without inserting pages of inane rambling about something no one but him cares about", *clicks link to read comments*

  9. I don't know either by Anonymous Coward · · Score: 0

    Considering I don't know either it seems like both had a success with spamming Slashdot...

  10. No more Bennett Haselton by Anonymous Coward · · Score: 4, Insightful

    We cannot filter him like we can with editors. Please stop making Slashdot this boring man's blog.

  11. What a moron by gurps_npc · · Score: 1
    Assuming he was hired by AirBnb, he is an idiot.

    If he had simply taken their client's emails he probably would have gotten a similar increase in business and no one would ever have been the wiser that he had hacked Couchsurfer.

    Instead this idiot made a statement, may end up in jail, and almost certainly will have pissed off any ethical Couchsurfer.

    --
    excitingthingstodo.blogspot.com
  12. "Couchsurfing.org volunteer"? by CRCulver · · Score: 2

    Couchsurfing went from an ostensibly community-run (but really oligarchy-controlled) website to a private, Delware-registered and venture capitalist-funded corporation three years ago. To continue to call it Couchsurfing.org is disingenuous. And as for "volunteer", most of the volunteers with any integrity have long since stopped donating their time to Couchsurfing and instead are active on other, truly community-run hospitality exchange platforms.

    1. Re:"Couchsurfing.org volunteer"? by baka_toroi · · Score: 3, Interesting

      Is there another community similar in scope to Couchsurfing? What would you recommend?

    2. Re:"Couchsurfing.org volunteer"? by Ozymandias_KoK · · Score: 2

      I don't think it's integrity Bennett Haselton doesn't have, it's brevity. Different ity.

    3. Re:"Couchsurfing.org volunteer"? by mal0rd · · Score: 1

      There is http://www.bewelcome.org/ which was started around the time couchsurfing became commercial.

      It's not as big, but still usable. And fewer surfers means less competition for couches.

  13. Counter argument. by khasim · · Score: 0

    Because it wasn't 1,000 words long.

    But the counter argument is that he clicks on links sent to him via email prior to verifying their origin (who sent them) or destination (where do they link to).

    Next episode - If only there was some way to inform people that they should not click on links in email. Even if they think they're from someone they know. How will the bitter rivalry between MySpace and Friendster play out?

  14. You're a Slashdot.org volunteer by tepples · · Score: 1

    Couchsurfing went from an ostensibly community-run (but really oligarchy-controlled) website to a private, Delware-registered and venture capitalist-funded corporation three years ago. To continue to call it Couchsurfing.org is disingenuous.

    Yet you're posting this on Slashdot, which continues to operate from the .org TLD after having been sold to Andover, VA Linux, and Dice.

    1. Re:You're a Slashdot.org volunteer by CRCulver · · Score: 2

      Yet you're posting this on Slashdot, which continues to operate from the .org TLD after having been sold to Andover, VA Linux, and Dice.

      While Slashdot may continue to operate from its old .org URL, no one regularly refers to it as "Slashdot.org" with the aim of suggesting community governance, which is still done by some disingenous advocates for Couchsurfing. And luckily with the Dice acquisition and beta debacle, and the rise of SoylentNews, most people are aware of Slashdot's circling the drain and the rise of a community-run alternative.

  15. Worse than it seemed by Anonymous Coward · · Score: 3, Interesting

    The images loading at the bottom of the email attempted to change profile data, join the CS queer group, and remove the profile.

    1. Re:Worse than it seemed by Anonymous Coward · · Score: 0, Offtopic

      Why didn't Bennett, Superman of the Internet, catch that fact? That would've actually been an interesting thing to report. He might even been able to keep the explanation of that observation below 3000 words.

    2. Re:Worse than it seemed by Anonymous Coward · · Score: 0, Troll

      perhaps he was already in the CS queer group so didn't notice?

    3. Re:Worse than it seemed by reikae · · Score: 2

      Why change the data and join a group if the profile just gets deleted afterwards? I'm not sure if you're kidding or not :-)

      Besides, wouldn't this also require that all actions work through GET requests instead of POSTs?

  16. The horror of winding up on Bennett's couch by slashdice · · Score: 1

    You think that's bad? Try couch surfing at the geek compound circa 1999. Hope you like the smell of jaeger and astroglide.

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  17. Re: by slashdice · · Score: 5, Funny

    I hear airbnb is good.

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  18. Re: by Anonymous Coward · · Score: 0

    You win the thread.

  19. Couch Surfing at a Strangers / Letting one stay by Anonymous Coward · · Score: 1

    Couch surfing at a stranger's home is like staying at a hostle or homeless shelter and is very risky to you and your belongings.

    On the other side of that, letting a complete stranger into your home to sleep on your couch is also risky and could get you robbed, hurt, and/or killed.

    1. Re:Couch Surfing at a Strangers / Letting one stay by CRCulver · · Score: 2

      Couch surfing at a stranger's home is like staying at a hostle or homeless shelter and is very risky to you and your belongings. On the other side of that, letting a complete stranger into your home to sleep on your couch is also risky and could get you robbed, hurt, and/or killed.

      Couchsurfing (with a modicum of due caution) isn't staying with or hosting "complete strangers". You can check previous references left by other guests/hosts that the person has had. Plus, well-functioning hospitality exchange platforms tend to have an active userbase small enough that everyone kind of knows each other. I've hosted a number of people with whom I've turned out to have mutual friends.

      People have been "robbed and hurt" on Couchsurfing, but beyond the rare petty theft that could even happen when hosting friends (yes, people's friends can steal too) or relatives (many people have a klepto in the family), violent incidents are rare and the cases I am aware of were single females unwisely hosting single males. I am unaware of anyone ever being killed. Maybe you would like to back up your assertion somehow?

      Couchsurfing is nothing new. It superseded its website forebear Hospitality Club, which in turn inherited, among other things, mailing lists for hospitality exchange among hitchhikers and nomadic travellers. There's also WarmShowers, a community for cycle tourists, that has been around for years now and goes back to a pre-internet paper directory. With years of experience and millions of host-guest interactions, you cannot reasonably claim that hospitality exchange is more dangerous than, say, driving one's car on a daily basis.

    2. Re:Couch Surfing at a Strangers / Letting one stay by Anonymous Coward · · Score: 1

      People have been "robbed and hurt" on Couchsurfing, but beyond the rare petty theft that could even happen when hosting friends (yes, people's friends can steal too) or relatives (many people have a klepto in the family), violent incidents are rare and the cases I am aware of were single females unwisely hosting single males. I am unaware of anyone ever being killed. Maybe you would like to back up your assertion somehow?

      When you've pretty much agreed that everything he said was true (though you attempt to handwave it away and blame the victim)... your "would you like to back that up?" doesn't carry much weight.
       

      With years of experience and millions of host-guest interactions, you cannot reasonably claim that hospitality exchange is more dangerous than, say, driving one's car on a daily basis.

      Yes, I can - because you're not comparing like-to-like. The "years of experience" you cite are for more-or-less closed communities of like minded people, very likely known to each other or having common friends or acquaintances. The modern hospitality exchanges are between random people, complete strangers. (Checking out references doesn't mean you aren't complete strangers, it means you're complete strangers that have checked out references.)

    3. Re:Couch Surfing at a Strangers / Letting one stay by CRCulver · · Score: 3, Interesting

      When you've pretty much agreed that everything he said was true (though you attempt to handwave it away

      Fearmongering about risks that are statistically insignificant should be waved away. Otherwise one would hardly ever leave their own homes (or even move about in those homes).

      and blame the victim...

      Noting that the well-known cases of violence within Couchsurfing.com related to single females hosting single males is in no way blaming them. Rather, the point is that since the GP is presumably male and writing for a predominantly male audience (these being the sad demographics of Slashdot), his exortation to fear such violence is groundless.

      The "years of experience" you cite are for more-or-less closed communities of like minded people, very likely known to each other or having common friends or acquaintances. The modern hospitality exchanges are between random people, complete strangers.

      There has been no such transition overall in internet hospex from trustworthy closed communities to "random people, complete strangers" as you depict. Couchsurfing.com specifically has grown too large to have that feeling of being a closed community of like-minded people, though the result of this is vastly more likely to be simply meeting a person whose company one doesn't enjoy with than experiencing crime. However, internet hospex in general remains a series of overlapping circles of friends, which one can plainly see from Couchsurfing's two community-run alternatives.

  20. To those saying he should get a blog.. by lemur3 · · Score: 1, Offtopic

    They gave him one long ago, right here, on slashdot!

    maybe they can celebrate a whole new section soon.

    bennett.slashdot.org

    it will be great. as beloved as idle.slashdot.org !!

  21. THE SPAMMER - EPISODE ONE by MillionthMonkey · · Score: 1

    The police kicked down the door, breaking the glass and maneuvering through the room with guns drawn. The living room was empty. They searched the kitchen. Nothing. One of them kicked in the bedroom door and swung his assault rifle in a wide angle as he crashed through.

    Immediately he saw that the floor was covered with spam. A computer's hard drive had exploded under pressure and was oozing a liquid discharge of strange attachments and cryptic URLs across the desk and onto the floor. " Couchsurfing sucks... here's a better couch!" they yelled, one after another. Then the fumes struck him.

    Overwhelmed, he stumbled backward, spraying vomit across the living room as he fell. He lay on the spammy floor unconscious, convulsing, muttering the same thing over and over. "Delete... delete... delete... delete..." The other officers quickly ran out of the front door, dragging him along by the legs as they struggled to cover their eyes which were lachrymating upon exposure to the spam. One of the units outside called for backup and unwound a yellow tape labeled "POLICE LINE - DO NOT EMAIL" around the residence. A forensics van pulled up, and several officers strapped rubber gloves onto their hands and Pentagon-surplus armored spam filters on their faces. They reentered the building, treading lightly, taking flash photographs, and laboriously stuffing individual spam emails into each of 10,000,000 Ziploc bags.

    About twenty minutes later, Detective Protagoniste and the Commissioner arrived at the scene in their unmarked car.

    "Well, what do you make of this mess, Detective?" asked the Commissioner, as they approached the building. Protagoniste picked up one of the bags, and held it up to the light, and replied, "Commissioner, as of now, the spam's been caught... but not the Spammer!"

    1. Re:THE SPAMMER - EPISODE ONE by Anonymous Coward · · Score: 0

      This story lacks sunglasses and http://i.dailymail.co.uk/i/pix/2008/09/04/article-1052367-0103B55A000004B0-847_468x461.jpg

  22. The horror of winding up on Bennett's couch by bennetthaselton · · Score: 1

    stop posting spoilers without a warning

  23. Re:Bennett and timothy are a couple of queers by newcastlejon · · Score: 1

    As a queer, I find that offensive.

    --
    If God forks the Universe every time you roll a die, he'd better have a damned good memory.