20-22 Wenlock Road
London, UK N7 NG1
+44 203519 2171
[email protected]
[email protected]

Is the TIPI App Secure ? Far From It

Is the TIPI App Secure ? Far From It

As I sit here I am listening to what I am assuming a representation of TIPI and hearing him talking about this app called TIPI which now has been installed in hostels around Australia. After doing much research it is apparent that any hostel that has this app customers are forced to use this app in order to check-in. Customers are then forced to scan a copy of their drivers licence or passport. Where are these images stored and how are they stored ? Are they encrypted ? From my research it is hard to know as there website does not provide any information on security of customers data.

It is comical listening to this TIPI employee as he is boasting about his travels interstate and each person he meets he thinks it important to let them know that he has just arrived back and about the drinking he has done. Not a very good look.

Anyway back to this insecure app.

Here is a question for the TIPI people.  How can your customers be assured that their data is stored securely when their own website does not use any form of encryption such as SSL ( https ) ? This is the most basic form of protection and they cannot even get that right so how can customers rely on them to know anything about security ?

Here is the insecure website URL  http://tipi.me/

After reading their privacy document it is written that even though you can delete your information from their servers they are not responsible for any of their ‘partners’ as they do shared your information with these partners to know doubt provide spam emails and to provide marketing benchmarks. It seems that TIPI does not have any idea on security and I would be VERY wary of giving them a colour scanned copy of my passport of drivers licence as who knows who could have a copy of your documents in the future as it is clear that TIPI have zero ability when it come to CyberSecurity or OpSec.

It is comical that TIPI states that they are 100% Percent Secure yet they cannot even install SSL on their own website…..amateur hour from a company that bases its platform around storing valuable identity documents such as passports and drivers licences.

A copy of the Privacy Policy can be found here

Here is a screenshot direct from their website where they state that your information will only be shared with your hostel but this is a direct lie as if you read their privacy policy it states:-

The Services include several features that may allow you to share your information with others. Please remember that if you choose to provide personal information using certain features of the Services, that information may be available to the wider Services community, or may be published on our Sites, which is subject to indexing by third party search engines
What really boils my blood is the blatant falsehood that they claim they are not sharing your data whereas they know ( and now I know ) that this is completely false and an outright lie!!!

In light of this I thought I would write to TIPI to inform them of a few home truths. I shall post their response soon should they provide one.


 

To Whom it may concern,

I am a little concerned with your statement about security when your own site does not even use SSL.

In addition to this you site does not inform customers about where customers data is stored and what protections including security of servers, network infrastructure are in place to guarantee that the identity documents you collect remain secure in encrypted form and accessing these are closely monitored to prevent abuse.

It is common practice with apps such are yours that your business model is all about sharing data with third parties and although you may not sell it you certainly provide customers information through your so called ‘partner’ providers. This sharing in effect provides not guarantees that customers valuable identity documents remain secure as once you share this information your obligation expires and your privacy policy indirectly states this. For such a business that has the world “Security” on its home page it is apparent that you cannot even get the basics correct by implementing SSL as I have spent 15 minutes this morning testing the security of your site and I can assure you that if I were a criminal or out to destroy your site you would not have one for very long.

You as a business are obliged to protect customers data especially since you are collecting each customers identity documents and as stated above your cannot even get the basics right so how can we ever expect you to provide the level of security required for storing customers data ?


Regards,Ben McGuire
Head Of Cyber Operations
OneHost Cloud & Security
UK Ph: +44 20 3519 2171
AU Ph: +61 (03) 85920571
https://onehostcloud.hosting

Leaders In Cyber Security & Hosting
Recently I had been contact by Tipi requesting that we take down this blog post. Due to our investigations on this company and its server security we feel it is important to let others know that the server infrastructure remains vulnerable to numerous publicly disclosed vulnerabilities. I personally feel an obligation to inform not only Tipi and their management but more importantly their customers who depend on Tipi to securely store their identity documents and not have networks and server that are not safe from hackers. While Tipi may advise that they do not store the identity documents we can confirm that they do store other personal information and share this with third parties which is contradictory to their privacy policy. We could confirm that they store the identity documents by simply accessing their servers but that would be illegal and I certainly am not going to involve myself in that.
We received an email from the CEO of Tipi, Jack Bowcott who threatened legal action should be not remove the post. I had advised him in my email response to him that he should not be so ignorant and when a person with over 20 years experience in cyber operations and security tells you that you have an issue with security you should take action and not simply request removal of the post that advises potential customers that their personal information may not be safe at all. OneHost Cloud believes in freedom of expression and will NEVER remove any content under any circumstances. I felt it my duty to advise the public of the potential issues with the Tipi platform. To be perfectly honest I can take the entire site offline and make a copy of their databases even now but we are not in the business of damaging other businesses through hacking – we would much prefer to advise and it is then up to the business owners to take our advice which is this case Jack Bowcott has refused to do.
Here is his email and my response below.
On 11/30/2017 03:32 AM, Jack Bowcott wrote:
Ben, I have been extremely patient with your slanderous and factually incorrect article on Tipi. You don’t answer your phone, you don’t reply to your emails & you have left me no choice but to take legal action against you.
If you read the email chain below, you will see that this could have been resolved amicably. We have now received negative feedback from users siting your article, which we can prove is categorically incorrect.
I would suggest you remove the article immediately or at least have the courage to answer your calls.

 

Jack Bowcott | Tipi CEO
101/24 Bayswater Rd, Kings Cross, Sydney
m: +61 (0) 401 399 962
e: [email protected]
Hostels – www.tipi.travelTravellers – www.tipi.me

Jack,

I would have thought my lack of response to the emails from yourself and your colleague would have been an indication that I have not interest in removing the publication from the website.

The article and the opsec I conducted on your site some time ago would have allowed me to take your site offline very easily and it are sites such as yours that falsely indicate to your customers that their information is protected and safe from attackers. You should be focusing your energies on resolving the security of your webserver and backend application as the article states this insecurity yet to this day you have not resolved any of these security vulnerabilities.

Just because you do not like something negative written about your company does not give you the right to start threatening others with legal action as it would be unfortunate that if your entire custom data was exposed and posted online – that would severely impact your business and it would be most embarrassing for your customers to discover that you had been warned on such security issues previously.

You can consider that my first and final response so do what you must as your threats do not mean much as someone who is so ignorant to listen to others when told about something that could affect their business is not someone I would want to continue to waste my time conversing with.

Regards,

Ben McGuire
Head of Cyber Operations
UK Ph: +44 203519 2171
AU Ph: +61 (03) 85920571
https://onehostcloud.hosting
OneHost Cloud Logo
Cloudflare Partner LogoOpenstack LogoVMware Partner