Security

The security of your information is critical.
Here is how we keep it safe.

Your Airbnb account

Your password is not stored.

Your Airbnb account password is never stored by us. As a matter of fact, it would be useless to us, since we connect to Airbnb using their API. This is, for example, how we obtain the profile of a user. As you will notice, there is no form to enter a password.

Instead of using your password, your account is authenticated using a token that is requested to Airbnb the first time you connect your account to Hospitable.

Only this token is stored in our database in a secure fashion, not your password.

Airbnb’s API helps us secure your account.

Airbnb’s API offers a system of authentication with a disposable token. Using this method of identification helps secure your Airbnb credentials:

  1. It is impossible to change the account’s password with the token. We couldn’t change the password if we wanted to.
  2. If the password is changed by the account’s owner, all tokens generated previously are immediately rendered useless by Airbnb.

This means the account’s owner retains full control over their Airbnb account.

This results in the token as it would be stored. It is formatted as an hexadecimal string of 512 characters:

8ad6a157f4d930a12b4c4e90a5e125e0d3e02d3f180c7e61c088d95e4b04dc07
49fa68d901de7aa92bdac6242d636202ccb9e4ef2054bf85223e31e912e95dbe
3d1be946d312dfb6bc097073e7ff46347dd7c57427257405ee7c31e13d2f990f
7cb746976a7db7d19aeb38fcdc60d8f1a5a8b569d9a966769f71ca58b7d75de0
60b8b95dcc1a92f994269372fa96b701d913bbeba70b9accef4987f494cf3aa7
5361f4bf1f632ae1ec9aa32a40801f54602ff989e4cc2d65010a310a1db39f61
ec40abd80f0bf1d0d071f2b87614f38512ebc9798761d99ebe3b240c5299386c
7337bb83940190e27f9ad0b9f45813eb83937765c135297fd0b106acc9bc3d98

Your token is heavily encrypted and secured.

A token is a sequence of letters and numbers that looks something like OrybQmOWQw2KiWyT94j80bwAU. However, for security considerations, the token cannot be stored in that form and has to be securely encrypted.

We encrypt your token using the same encryption standard that is used to secure the Internet (RSA-2048 bits). There is no master password: each token is encrypted using their own key pairs. The (private) key is itself encrypted using AES-256. In addition, the encrypted token, and the keys, are not accessible from the public Internet.

The token would be useless without the keys. As a result, a data thief would not be able to make use of the token.

What it means

Let’s stay your clear authentication token, as obtained from Airbnb is:

OrybQmOWQw2KiWyT94j80bwAU

It is then encrypted by the public key:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1abdj9+lrZtiovCxxwvW
miBH6xRaXgLhK2rxoK8G4d21bmVDJRGcH5rn1YPvp8PsICAUUmx8tMJ3yAu04ho3
rtgZj+STnDsIYd2PoJU/HSgYYLfXxbm5605hI159uqk5FQpAGQdqy2rq97RKOuE6
FjJoznP0s0iFqFHKu1+5l9ex39ant5jB8yDpO4lozI6ZO+cE14EHZpUnb+0NCnxu
bNjy8o9bA3peyRSXHy5J+5Wfs+xE9MtssMZ1FGX43nE4N7Sc3hlc9Cbr2bn+ZjzK
MRf+tsUsgVzqpsXLV6y3ibyAP7qSj/mcIaQp9PE6Y7eLTQF9E28G9e6PntiVGyO2
2wIDAQAB
-----END PUBLIC KEY-----

This results in the token as it would be stored. It is formatted as an hexadecimal string of 512 characters:

8ad6a157f4d930a12b4c4e90a5e125e0d3e02d3f180c7e61c088d95e4b04dc07
49fa68d901de7aa92bdac6242d636202ccb9e4ef2054bf85223e31e912e95dbe
3d1be946d312dfb6bc097073e7ff46347dd7c57427257405ee7c31e13d2f990f
7cb746976a7db7d19aeb38fcdc60d8f1a5a8b569d9a966769f71ca58b7d75de0
60b8b95dcc1a92f994269372fa96b701d913bbeba70b9accef4987f494cf3aa7
5361f4bf1f632ae1ec9aa32a40801f54602ff989e4cc2d65010a310a1db39f61
ec40abd80f0bf1d0d071f2b87614f38512ebc9798761d99ebe3b240c5299386c
7337bb83940190e27f9ad0b9f45813eb83937765c135297fd0b106acc9bc3d98

That encrypted token cannot be decrypted with the public key, but with another “private” key. The private key is stored on our servers and never transits on the public Internet. Out of an abundance of caution, that key is itself stored in encrypted form.

Without the private key, how long would it take to obtain the clear token back?

If every atom in the observable universe was a CPU of the same computing power than the device on which you are currently reading this page, it would take 5.95×10211 years to find the token. (source)

That is 59 500 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 years to decrypt the Airbnb token. Considering the Universe is estimated to be 13.75×109 years old, this is an impossibly long time.

Actually, the figures above are only for RSA-1024 bit keys, while we use RSA-2048, which is 232 times stronger, so it takes around four billion times (not years: times) longer to hack that token.

By comparison, it takes you a few seconds to change your Airbnb password.

Communication

All communications between Hospitable and your browser are transmitted over TLS (HTTPS). This allows us to protect your security details against any eavesdropping. HSTS is also implemented to ensure browsers interact with Hospitable only over HTTPS.

HTTPS is also enforced when our servers exchange information with Airbnb’s API.

All communication by email from us will identify you by name, or will be cryptographically signed for [email protected]. We will never ask you for any personal information by email.

To securely contact Hospitable by email, we advise you to use the PGP key.

Secure your message

Please report any vulnerability to [email protected].
You can encrypt your communication using our PGP key.

Fingerprint: E4F2 22D1 3AFE 646B 1EB8 6C74 3CFC 256B 3680 8E44

Key ID: 36808E44
Key Type: RSA
Key Size: 4096

Payment Methods

Hospitable is PCI Level 2 compliant. An AOC is available by request.

We do not process or store credit card details from our customers when paying for Hospitable services. No payment method information ever hits our servers. For this, we hand off credit card and PayPal processing to Braintree. They power online transactions for thousands of businesses and comply with PCI standards in the storage and handling of credit card information.

We do not process or store credit card details from Airbnb and Vrbo guests. We store tokenised credit card details in compliance with PCI-DSS requirements for Booking.com guests, and hand off payment processing to Stripe.

Braintree

Server Security

We follow industry standards practices to secure our servers. They are located in premium data centers with restricted access, strong authentication, firewall protection, and identification required.

We run an automated infrastructure vulnerability scanning on ports and SSL once a month.

We periodically engage a third party for black box and grey box penetration testing. The latest was performed in November 2020.

In addition to our own efforts, the security scans and penetration testing help ensure that no vulnerability is putting your data at risk.

Application security

We use Sqreen for account takeover attempt detection and vulnerability discovery prevention. On top of that, we perform frequent internal code reviews focusing on potential security issues.

Report a security issue

Security vulnerabilities are an unfortunate but common issue in software. We take them very seriously and we appreciate your help in notifying us of vulnerabilities in a responsible manner. We will respond to any security issue within a maximum of 24 hours.

Responsible Disclosure: We would like to keep Hospitable safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner.

Publicly disclosing a vulnerability can put the entire Hospitable community at risk. If you have discovered a possible vulnerability, we would greatly appreciate you emailing us at [email protected]. We will work with you to assess and understand the scope of the issue and fully address any concerns. We will ensure that issues are addressed rapidly. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.