Salt Security Uncovers API Security Flaws within Booking.com that Allowed Full Account Takeover – Issues have been Remediated
Salt Security, the leading API security company, released new threat research from Salt Labs highlighting several critical security flaws in Booking.com. The flaws were found in the implementation of the Open Authorization (OAuth) social-login functionality utilized by Booking.com, which had the potential to affect any users logging into the site through their Facebook account. The OAuth misconfigurations could have allowed for both large-scale account takeover (ATO) on customers’ accounts and server compromise, enabling bad actors to:
- Manipulate platform users to gain complete control over their accounts
- Leak Personal Identifiable Information (PII) and other sensitive user data stored internally by the sites
- Perform any action on behalf of the user, such as booking or canceling reservations and ordering transportation services
Recommended AI News: Blotout Announces New Partnership with Fastly to Improve Meta Ad Spend with Blotout’s EdgeTag
Salt Labs, the research arm of Salt Security and a public forum for API security education, discovered the API security gaps and provided the vulnerability analysis.
Salt Labs researchers discovered security vulnerabilities in the social login functionality used by booking.com, implemented with an industry-standard protocol called OAuth. Popular across websites and web services, OAuth lets users log into sites using their social media accounts, in one-click, instead of via “traditional” user registration and username/password authentication.
While OAuth provides users with a much easier experience in interacting with websites, its complex technical back end can create security issues with the potential for exploitation. By manipulating certain steps in the OAuth sequence on the Booking.com site, Salt Labs researchers found they could hijack sessions and achieve account takeover (ATO), stealing user data and performing actions on behalf of users.
Any Booking.com user configured to log in using Facebook might have been affected by this issue. Given the popularity of using the “log in with Facebook” option, millions of users could have been at risk from this issue. Kayak.com (part of the same parent company, Booking Holdings Inc.) could have also been affected, as it allows users to log in using their Booking.com credentials, increasing the number of users susceptible to these security flaws by millions.
Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Booking.com, and all issues were remediated swiftly, with no evidence of these flaws having been exploited in the wild.
Recommended AI News: Complete Verkada Platform is Now Available Across the UK and Europe
“OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,” said Yaniv Balmas, VP of Research, Salt Security. “As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors. Security vulnerabilities can happen on any website, and as a result of rapid scaling, many organizations remain unaware of the myriad of security risks that exist within their platforms.”
Recommended AI News: Raising the Ceiling of Code-Free Programming for Robotics and Industrial Automation
[To share your insights with us, please write to sghosh@martechseries.com]
Comments are closed.