Your Airbnb account

We made some radical design decisions to protect your Airbnb accounts.
Why? Ultimately, because ours are stored here too.

Your password is not stored.

Your Airbnb account password is never stored by us.

As a matter of fact, it would be useless to us, since we connect to Airbnb using their API.

Instead of using your password, your account is authenticated using a token that is requested to Airbnb the first time you connect your account to Smartbnb. Once a token has been obtained, the password is wiped out of memory, and has never touched our database.

Airbnb's API helps us secure your account.

Airbnb's API offers a system of authentication with a disposable token. Using this method of identification helps secure your Airbnb credentials:

  1. It is impossible to change the account's password with the token. We couldn't change the password if we wanted to.
  2. If the password is changed by the account's owner, all tokens generated previously are immediately rendered useless by Airbnb.

This means the account's owner retains full control over their Airbnb account.

Your token is heavily encrypted and secured.

A token looks like xovn14kff135k8vkp5ywkoopy. However, for security considerations, the token cannot be stored in that form and has to be securely encrypted.

We encrypt your token using the same encryption standard that is used to secure the Internet (RSA-2048 bits). There is no master password: each token is encrypted using their own key pairs. The (private) key is itself encrypted using AES-256. In addition, the encrypted token, and the keys, are not accessible from the public Internet.'

The token would be useless without the keys. As a result, a data thief would not be able to make use of the token.

What it means

The clear authentication token, obtained from Airbnb:

xovn14kff135k8vkp5ywkoopy

is encrypted by the public key

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoMijvIsHBWvxC0xixaP+ zKZTLblLUNkEe3FiFLDdOBjuZLxJpES+3Mqnh4Nc4Oskby8isaYaLBBtH+v9appz /J4ORwsjfuHYyPhY+BCSYQHQbYhvp0vtaKNLPA3syPoSIsarACdlBC99G5dUCbkx QZb/73HenFjTpPcSJr3IfTlYo31u5II0suic4wg0RnOcfmG5qWCrU2MFP3jFP46h 83YXWXUAQFKU9UrhFlN3kgHSRor6TDQT3QzSU9aWNB3YhrhwIXLJvgBHFtAT302u Cn/AAeghac5pzTD28Pqdg/T43c5nSWQ1Y1RzSOxrYxZ+s2SnmRU46GHbMwhBZgtQ twIDAQAB
-----END PUBLIC KEY-----

which gives the token as it would be stored, formatted as an hexadecimal string of 512 characters.

40454f295f3e9c083e766df8a649d70e7b4ee51309d5aca8b5fb76145df0858b 010f589009a6d55da409840c10e112908676f99e9ba62483c14a10bbbfcaa20f f0792fd1bed93808982819dc2ed365e0b17423adf230aeac2cbb7006b89edce9 dd6e06b2b3d62c0ca5f3c6925aadc7d9f09427ba972d1ca0d53cac1e1e35e7bd cf86556b971f0a9b9115be29d07912e1f4528bef087cbf33c3c8b5bcd8a3c987 d37387feb095457abd062b65e285577c715076c0c3f8a80ad186e02c18ffc08a 3d495885abc0a7c89e2cf0acb3556e2b62efbe43a3eedf625eac946f72d3e3ce 02164fc5746f11e6c584031c140dff31cf1f408c535c82354c373f490c3d356c

That encrypted token cannot be decrypted with the public key, but with another "private" key. The private key is stored on our servers and never transits on the public Internet. Out of an abundance of caution, that key is itself stored in encrypted form.

Without the private key, how long would it take to obtain the clear token back?

If every atom in the observable universe was a CPU of the same computing power than the device on which you are currently reading this page, it would take 5.95×10211 years to find the token. (source)

That is 59 500 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 years to decrypt the Airbnb token. Considering the Universe is estimated to be 13.75×109 years old, this is an impossibly long time.

Actually, the figures above are only for RSA-1024 bit keys, while we use RSA-2048, which is 232 times stronger, so it takes around four billion times (not years: times) longer to hack that token.

Comparatively, it takes you a few seconds to change your Airbnb password.

By the way: the simple fact that you visit this page adds a new key pair to our store and contributes to increasing the security of our users.

Still worried? Use Co-Hosts.

The ideal solution would be for Airbnb to give public access to their API. The next best thing is Airbnb's new "additional host" feature.

If you are still reluctant with giving us access to your main account, you can still use Smartbnb with a secondary account.

Once that secondary account is created (with another email address and password), give it permission to manage a listing. Go to your Manage Listing page and select a Listing. On the left menu, under Management, select Additional Hosts. Invite your secondary account and approve it.

You can then connect that secondary account to Smartbnb. Just like other connected accounts, we won't be able to access payout information or personal details.

This will also give you access to two tools on Airbnb's side:

  • Airbnb will give you control tools to remove access from that secondary account to your main account. Of course, you can already sever the link with your Airbnb account from Smartbnb.
  • Airbnb will give you access to an independent history of our actions on your Airbnb account. This is something we already do on our side by giving you access to our logs.

Communication

All communications between Smartbnb and your browser are transmitted over TLS (HTTPS). This allows us to protect your security details against any eavesdropping. HSTS is also implemented to ensure browsers interact with Smartbnb only over HTTPS.

HTTPS is also enforced when our servers exchange information with Airbnb's API.

All communication by email from us will identify you by name, or will be cryptographically signed for hello@smartbnb.io. We will never ask you for any personal information by email.

To securely countact Smartbnb by email, we advise you to use the PGP key below.

Payment Methods

In compliance with PCI-DSS requirements, we do not process or store credit card details. No payment method information ever hits our servers.

We hand off credit card and PayPal processing to Braintree. They power online transactions for thousands of businesses and comply with PCI standards in the storage and handling of credit card information.

Server Security

We follow industry standards practices to secure our servers (located on premium data centers with restricted access, strong authentication and identification required, firewall protection).

To make sure that our efforts are always up to date, we submit ourselves to daily security vulnerabilities scans by McAfee and Qualys. In addition to our own efforts, those frequent security scans help ensure that no vulnerability is putting your data at risk.

Report a security issue

Security vulnerabilities are an unfortunate but common issue in software. We take them very seriously and we appreciate your help in notifying us of vulnerabilities in a responsible manner. We will respond to any security issue within a maximum of 24 hours.

Responsible Disclosure: We would like to keep Smartbnb safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner.

Publicly disclosing a vulnerability can put the entire Smartbnb community at risk. If you have discovered a possible vulnerability we would greatly appreciate you emailing us at hello@smartbnb.io. We will work with you to assess and understand the scope of the issue and fully address any concerns. We will ensure that issues are addressed rapidly. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.


Secure your message

Please report any vulnerability to hello@smartbnb.io.
You can encrypt your communication using our PGP key.

Fingerprint: E4F2 22D1 3AFE 646B 1EB8 6C74 3CFC 256B 3680 8E44

Key ID: 36808E44
Key Type: RSA
Key Size: 4096