Salt Security Uncovers Critical Security Flaws in Booking.com

Written by Edward Gately
January 1, 1970

Salt Security has discovered several critical security flaws in Booking.com, one of the largest online travel agencies.

According to new threat research from Salt Labs, the flaws were found in the implementation of the Open Authorization (OAuth) social-login functionality utilized by Booking.com. It had the potential to affect any users logging into the site through their Facebook account.

The OAuth misconfigurations could have allowed for both large-scale account takeover (ATO) on customers’ accounts and server compromise, enabling bad actors to:

Manipulate platform users to gain complete control over their accounts.
Leak personal identifiable information (PII) and other sensitive user data stored internally by the sites.
Perform any action on behalf of the user, such as booking or canceling reservations, and ordering transportation services

Popular across websites and web services, OAuth lets users log into sites using their social media accounts, in one-click, instead of via traditional user registration and username/password authentication.

Yaniv Balmas is vice president of research at Salt Security.

“OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,” he said. “As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors. Security vulnerabilities can happen on any website, and as a result of rapid scaling, many organizations remain unaware of the myriad of security risks that exist within their platforms.”

Any Booking.com user configured to log in using Facebook might have been affected by this issue, according to Salt Security. Given the popularity of using the “log in with Facebook” option, millions of users could have been at risk from this issue.

Kayak.com (part of the same parent company, Booking Holdings) could have also been affected, as it allows users to log in using their Booking.com credentials, increasing the number of users susceptible to these security flaws by millions.

Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Booking.com, and all issues were remediated with no evidence of these flaws having been exploited in the wild.

Photo courtesy Casimiro PT/Shutterstock

Tags:

Edward Gately

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.