Recently, security researchers discovered that the online travel agency Booking.com was impacted by serious vulnerabilities that could have allowed attackers to gain full control of a user’s account. The flaws were identified by API security firm Salt Security and reported to Booking.com in early December 2022. Salt Security disclosed the technical details of the vulnerabilities on Thursday.
The issues centered around the way Booking.com implemented OAuth, the authorization standard used by many online services to allow customers to sign in with their Google or Facebook accounts. An attacker could have exploited these weaknesses by tricking the targeted user into clicking on a specially crafted link, which would capture their authentication code. This code would then need to be replaced with the attacker’s code in the authentication request sent by a mobile app to the Booking server, giving them full access to the victim’s account.
The issue also impacted the sister website Kayak.com, which allows users to log in using their Booking account. Salt Security believes millions of users may have been exposed to potential attacks exploiting these vulnerabilities. Patches were rolled out in the weeks following the report and Salt Security has created a video demonstrating the exploit in action.
The incident serves as a reminder that even reputable companies can be vulnerable to cyberattacks, and users should always exercise caution when using online services. Moreover, these types of issues highlight the importance of API security, as well as the need for organizations to properly implement OAuth and other authorization standards.
In summary, security researchers recently discovered vulnerabilities in the online travel agency Booking.com that could have been exploited to take complete control of a user’s account. The flaws were related to the way Booking.com implemented OAuth and impacted the sister website Kayak.com as well. Patches were rolled out to address the issues and Salt Security has made a video demonstrating the exploit in action. This incident serves as a reminder of the importance of API security and proper implementation of OAuth.