Artificial Intelligence | News | Insights | AiThority
[bsfp-cryptocurrency style=”widget-18″ align=”marquee” columns=”6″ coins=”selected” coins-count=”6″ coins-selected=”BTC,ETH,XRP,LTC,EOS,ADA,XLM,NEO,LTC,EOS,XEM,DASH,USDT,BNB,QTUM,XVG,ONT,ZEC,STEEM” currency=”USD” title=”Cryptocurrency Widget” show_title=”0″ icon=”” scheme=”light” bs-show-desktop=”1″ bs-show-tablet=”1″ bs-show-phone=”1″ custom-css-class=”” custom-id=”” css=”.vc_custom_1523079266073{margin-bottom: 0px !important;padding-top: 0px !important;padding-bottom: 0px !important;}”]

Salt Security Uncovers API Security Flaws within Booking.com that Allowed Full Account Takeover – Issues have been Remediated

Machine LearningNewsSecurity
By PRNewswire

Salt Security, the leading API security company, released new threat research from Salt Labs highlighting several critical security flaws in Booking.com. The flaws were found in the implementation of the Open Authorization (OAuth) social-login functionality utilized by Booking.com, which had the potential to affect any users logging into the site through their Facebook account. The OAuth misconfigurations could have allowed for both large-scale account takeover (ATO) on customers’ accounts and server compromise, enabling bad actors to:

  • Manipulate platform users to gain complete control over their accounts
  • Leak Personal Identifiable Information (PII) and other sensitive user data stored internally by the sites
  • Perform any action on behalf of the user, such as booking or canceling reservations and ordering transportation services

Recommended AI News: Blotout Announces New Partnership with Fastly to Improve Meta Ad Spend with Blotout’s EdgeTag

Salt Labs, the research arm of Salt Security and a public forum for API security education, discovered the API security gaps and provided the vulnerability analysis.

Salt Labs researchers discovered security vulnerabilities in the social login functionality used by booking.com, implemented with an industry-standard protocol called OAuth. Popular across websites and web services, OAuth lets users log into sites using their social media accounts, in one-click, instead of via “traditional” user registration and username/password authentication.

While OAuth provides users with a much easier experience in interacting with websites, its complex technical back end can create security issues with the potential for exploitation. By manipulating certain steps in the OAuth sequence on the Booking.com site, Salt Labs researchers found they could hijack sessions and achieve account takeover (ATO), stealing user data and performing actions on behalf of users.

Related Posts

Ex-Oracle and Google Engineers Get $7 Million From Accel for Public Launch of Simplismart to Empower AI Adoption

Data Quality and Combating Bias Emerge as Top Hurdles for AI Innovation, According to New Report

Verusen Unveils AI Asset Criticality Tool for Industries, Enhancing Downtime Reduction and Risk Management

1 of 41,006

Any Booking.com user configured to log in using Facebook might have been affected by this issue. Given the popularity of using the “log in with Facebook” option, millions of users could have been at risk from this issue. Kayak.com (part of the same parent company, Booking Holdings Inc.) could have also been affected, as it allows users to log in using their Booking.com credentials, increasing the number of users susceptible to these security flaws by millions.

Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Booking.com, and all issues were remediated swiftly, with no evidence of these flaws having been exploited in the wild.

Recommended AI News: Complete Verkada Platform is Now Available Across the UK and Europe

“OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,” said Yaniv Balmas, VP of Research, Salt Security. “As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors. Security vulnerabilities can happen on any website, and as a result of rapid scaling, many organizations remain unaware of the myriad of security risks that exist within their platforms.”

Recommended AI News: Raising the Ceiling of Code-Free Programming for Robotics and Industrial Automation

[To share your insights with us, please write to sghosh@martechseries.com]

PRNewswire

PR Newswire, a Cision company, is the premier global provider of multimedia platforms and distribution that marketers, corporate communicators, sustainability officers, public affairs and investor relations officers leverage to engage key audiences. Having pioneered the commercial news distribution industry over 60 years ago, PR Newswire today provides end-to-end solutions to produce, optimize and target content -- and then distribute and measure results. Combining the world's largest multi-channel, multi-cultural content distribution and optimization network with comprehensive workflow tools and platforms, PR Newswire powers the stories of organizations around the world. PR Newswire serves tens of thousands of clients from offices in the Americas, Europe, Middle East, Africa and Asia-Pacific regions.

You might also like More from author

Comments are closed.