Salt Labs identifies OAuth security flaw within Booking.com

Security flaw in Booking.com OAuth implementation could be used to launch account takeovers, but researchers discovered and flagged the issue before it could be exploited in the wild

Sebastian Klovig Skelton

By

Published: 02 Mar 2023 13:00

Critical security flaws in Booking.com’s implementation of Open Authorization (OAuth) could have enabled attackers to launch large-scale account takeovers, putting millions of people’s sensitive personal data at risk, finds threat research by Salt Labs.

An industry-standard social login protocol, OAuth allows users to log in to sites via their social media accounts, but by manipulating certain steps in Booking.com’s authorisation sequence, Salt Labs researchers found they could hijack sessions and conduct account takeovers.

Gaining complete control of people’s accounts in this way would have enabled attackers to leak personal identifiable information and other sensitive user data, as well as perform any action on behalf of the user, including making bookings or cancellations.

The researchers said that anyone configured to log in to Booking.com via Facebook would have been vulnerable and that – given the popularity of the feature and the fact that the site has up to 500 million visitors each month – millions could have been affected by a successful exploit.

The threat was compounded by the fact that attackers could then use the compromised Booking.com login to gain access to sister company’s Kayak.com user accounts.

“OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,” said Yaniv Balmas, vice-president of research at Salt Security.

“As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors. Security vulnerabilities can happen on any website, and as a result of rapid scaling, many organisations remain unaware of the myriad of security risks that exist within their platforms.”

Upon discovering the vulnerabilities, Salt Labs – the research arm of application programming interface (API) security company Salt Security – followed coordinated disclosure practices with Booking.com, and all issues were remediated. There is no evidence of the flaws having been exploited in the wild.

“On receipt of the report from Salt Security, our teams immediately investigated the findings and established that there had been no compromise to the Booking.com platform, and the vulnerability was swiftly resolved,” said a Booking.com spokesperson.

“We take the protection of customer data extremely seriously. Not only do we handle all personal data in line with the highest international standards, but we are continuously innovating our processes and systems to ensure optimal security on our platform, while evaluating and enhancing the robust security measures we already have in place.

“As part of this commitment, we welcome collaboration with the global security community, and our Bug Bounty Programme should be utilised in these instances.”

The researchers have also published a detailed technical breakdown of the vulnerability and how it was exploited, which runs through how they were able to string together three sperate security issues to achieve account takeovers.

“The vulnerability described in this document is a combination of three minor security gaps. Most of the focus is on the first security gap, which allows the attacker to choose another path for the redirect_uri,” they said.

“When you do an integration with Facebook or another vendor, it’s extremely important to provide hard-coded paths for the redirect_uri in the Facebook configuration.”

According to the Salt security state of API security report, Q3 2022, Salt customers experienced a 117% increase in API attack traffic while their overall API traffic grew 168%

The growth trend has seen an increasing number of high-profile incidents linked to API traffic this year, including the recent attack on Australian telco Optus, which saw names, addresses, dates of birth, phone numbers, email addresses, and driving licence and passport data relating to 11 million customers stolen and held to ransom – an incident so serious in its scope that the Australian government is now planning to amend its telecoms security regulations.

Read more on Business applications

Read More
Dion Pecora

Latest

Karsh Kale: ‘I Had All But Stopped Making Music’

Music After nearly a decade without a solo album,...

Philipp Jung, Co-Founder of Get Physical and M.A.N.D.Y., Has Died

Music Philipp Jung, the German DJ and producer behind...

Newsletter

Don't miss

Karsh Kale: ‘I Had All But Stopped Making Music’

Music After nearly a decade without a solo album,...

Philipp Jung, Co-Founder of Get Physical and M.A.N.D.Y., Has Died

Music Philipp Jung, the German DJ and producer behind...

Breitbart Business Digest: Stacking Those $250 Trump Bills

Weekly Wrap: Making It Rain with Trump Bills Welcome back to Friday! This is the Breitbart Business Digest weekly wrap, our septidialogic sweep through the economic and financial news. This week the economy failed to get indigestion from the high price of gas, Treasury Secretary Scott Bessent told us about getting fed at the Fed, Trump

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity