Theft of user accounts, exfiltration of data, cancellation of reservations and others: the consequences could have been serious for Booking.com, affected by security breaches which, since their discovery, have fortunately been corrected.
The API protection platform Salt Security unveiled this Thursday, March 2, a report questioning the security of the accommodation reservation site Booking.com, pointing the finger ” many flaws which could have massively affected users connecting to the platform from their Facebook account. If the flaws have been corrected, there is no guarantee, however, that they have not been exploited.
Vulnerabilities detected in the authentication system allowing an application to connect you to Booking.com
The vulnerabilities detected on Booking have been detected in the implementation of the Open Authorization (OAuth) protocol that the site uses and which allows a user to give authorization to a third-party application to access their data. This helps him to authenticate, in one click, on another site, such as when you use your Google or Apple account to connect to Epic Games, for example, The world or others.
These flaws could have serious consequences for users wishing to connect to Booking via their Facebook account. Misconfigurations of the OAuth functionality could indeed have led to theft of customer accounts, but also to the compromise of servers.
The latter could have caused a leak (by exfiltration) of personal data and other sensitive data stored internally by the sites, or outright perform actions in the place of the customer, we think in particular of a reservation, a cancellation of reservation or booking a means of transport.
Millions of potential victims
Salt Labs recalls that while the OAuth protocol offers users a very simple experience, it requires a rather delicate technical back-end, which can give rise to exploitable flaws. By manipulating the OAuth sequence on Booking.com, cyber experts were able to hack sessions and steal accounts, stealing their data and acting in place of users.
In view of the still very high popularity of Facebook, we can estimate the potential number of victims at several million. The list of users once exposed to these risks is not limited to Booking.com. For example, the Kayak.com site is owned by the same holding company and allows users to connect to the platform using their Booking credentials, which exposes them to the same consequences. Once the flaws were reported to the Dutch company, the vulnerabilities were quickly corrected, insist the Salt Security teams.
4