The cyber company “Salt Security” revealed serious security flaws in the API interface of Booking.com which created the possibility for attackers to take control of user accounts, receive personal data, cancel or make reservations and perform other actions on their behalf.
The breach also included the users of the popular booking website Kayak.com, which also belongs to the Booking group and the registration to it is done through the group’s approval mechanism, so it endangered millions of people in the world.
The company contacted Booking’s security personnel, informed them about the loopholes and the ways to handle them and the deficiencies were corrected, before information was received about the misuse of these loopholes.
The breach was created through the OAuth application used by Booking to log in users using their Facebook account.
The created breach made it possible for hackers to make changes to the details of the platform’s users in order to gain full control over their accounts, including personal information, sensitive data on actions and user profiles that are stored internally by the company, book hotel rooms, cancel reservations as well as other services that Booking offers such as booking a means of transport transportation.
The security vulnerabilities were discovered and analyzed by Salt Labs, the research arm of Salt Security. The implementation of the OAuth protocol is popular on websites to identify and connect customer users through their social media accounts, with one click, instead of through traditional user registration that involves a more complex process of username and password verification.
According to Yaniv Blames, Salt Security’s vice president of research who led the process of identifying and correcting the deficiencies: “OAuth quickly became an industry standard, since it provides users with an easy and pleasant experience in interacting with websites and is currently used by hundreds of thousands of services around the world.”
“As a result, OAuth misconfigurations can have a significant impact on both companies and customers, as they leave sensitive data exposed to attackers,” he added, “As a result of the rapid expansion of the field, many organizations remain unaware of the myriad security risks that exist in their platforms.”