{"id":613502,"date":"2023-03-02T08:49:40","date_gmt":"2023-03-02T14:49:40","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/03\/02\/salt-labs-identifies-oauth-security-flaw-within-booking-com\/"},"modified":"2023-03-02T08:49:40","modified_gmt":"2023-03-02T14:49:40","slug":"salt-labs-identifies-oauth-security-flaw-within-booking-com","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/03\/02\/salt-labs-identifies-oauth-security-flaw-within-booking-com\/","title":{"rendered":"Salt Labs identifies OAuth security flaw within Booking.com"},"content":{"rendered":"<div id=\"content-header\">\n<h2>Security flaw in Booking.com OAuth implementation could be used to launch account takeovers, but researchers discovered and flagged the issue before it could be exploited in the wild<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Sebastian-Klovig-Skelton-CW-contributor.jpg\" alt=\"Sebastian Klovig Skelton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Sebastian-Klovig-Skelton\">Sebastian Klovig Skelton,<\/a><br \/>\n\t\t\t\t\t\t<span>Senior reporter<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>02 Mar 2023 13:00<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>Critical security flaws in Booking.com\u2019s implementation of Open Authorization (OAuth) could have enabled attackers to launch large-scale account takeovers, putting millions of people\u2019s sensitive personal data at risk, finds threat research by Salt Labs.<\/p>\n<p>An industry-standard social login protocol, <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252516048\/Stolen-Oauth-tokens-lead-to-dozens-of-breached-GitHub-repos\">OAuth<\/a> allows users to log in to sites via their social media accounts, but by manipulating certain steps in Booking.com\u2019s authorisation sequence, Salt Labs researchers found they could hijack sessions and conduct <a href=\"https:\/\/www.computerweekly.com\/news\/252489542\/Third-party-code-bug-left-Instagram-users-at-risk-of-account-takeover\">account takeovers<\/a>.<\/p>\n<p>Gaining complete control of people\u2019s accounts in this way would have enabled attackers to leak personal identifiable information and other sensitive user data, as well as perform any action on behalf of the user, including making bookings or cancellations.<\/p>\n<p>The researchers said that anyone configured to log in to Booking.com via Facebook would have been vulnerable and that \u2013 given the popularity of the feature and the fact that the site has up to 500 million visitors each month \u2013 millions could have been affected by a successful exploit.<\/p>\n<p>The threat was compounded by the fact that attackers could then use the compromised Booking.com login to gain access to sister company\u2019s Kayak.com user accounts.<\/p>\n<p>\u201cOAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,\u201d said Yaniv Balmas, vice-president of research at Salt Security.<\/p>\n<p>\u201cAs a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors. Security vulnerabilities can happen on any website, and as a result of rapid scaling, many organisations remain unaware of the myriad of security risks that exist within their platforms.\u201d<\/p>\n<p>Upon discovering the vulnerabilities, Salt Labs \u2013 the research arm of <a href=\"https:\/\/www.computerweekly.com\/feature\/API-Management-assessing-reliability-and-security\">application programming interface (API) security<\/a> company Salt Security \u2013 followed coordinated disclosure practices with Booking.com, and all issues were remediated. There is no evidence of the flaws having been exploited in the wild.<\/p>\n<p>\u201cOn receipt of the report from Salt Security, our teams immediately investigated the findings and established that there had been no compromise to the Booking.com platform, and the vulnerability was swiftly resolved,\u201d said a Booking.com spokesperson.<\/p>\n<p>\u201cWe take the protection of customer data extremely seriously. Not only do we handle all personal data in line with the highest international standards, but we are continuously innovating our processes and systems to ensure optimal security on our platform, while evaluating and enhancing the robust security measures we already have in place.<\/p>\n<p>\u201cAs part of this commitment, we welcome collaboration with the global security community, and our Bug Bounty Programme should be utilised in these instances.&#8221;<\/p>\n<p>The researchers have also published a detailed technical breakdown of the vulnerability and how it was exploited, which runs through how they were able to string together three sperate security issues to achieve account takeovers.<\/p>\n<p>\u201cThe vulnerability described in this document is a combination of three minor security gaps. Most of the focus is on the first security gap, which allows the attacker to choose another path for the redirect_uri,\u201d they said.<\/p>\n<p>\u201cWhen you do an integration with Facebook or another vendor, it\u2019s extremely important to provide hard-coded paths for the redirect_uri in the Facebook configuration.\u201d<\/p>\n<p>According to the <em><a href=\"https:\/\/salt.security\/api-security-trends\">Salt security state of API security report, Q3 2022<\/a><\/em>, Salt customers experienced a 117% increase in API attack traffic while their overall API traffic grew 168%<\/p>\n<p>The growth trend has seen an increasing number of high-profile incidents linked to API traffic this year, including <a href=\"https:\/\/www.computerweekly.com\/news\/252525513\/Optus-breach-casts-spotlight-on-cyber-resilience\">the recent attack on Australian telco Optus<\/a>, which saw names, addresses, dates of birth, phone numbers, email addresses, and driving licence and passport data relating to 11 million customers stolen and held to ransom \u2013 an incident so serious in its scope that the Australian government is now <a href=\"https:\/\/www.computerweekly.com\/news\/252525831\/Australia-to-amend-telecoms-regulations-following-Optus-breach\">planning to amend its telecoms security regulations<\/a>.<\/p>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Business applications<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.techtarget.com\/searchsoftwarequality\/news\/252528409\/Lego-site-vulnerabilities-highlight-API-security-gaps\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/container_g498396156_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/container_g498396156_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/container_g498396156.jpg 1280w\" alt ><\/p>\n<h5>Lego site vulnerabilities highlight API security gaps<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/dataCenter-Virtualization\/pariseau_beth.jpg\" alt=\"BethPariseau\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Beth\u00a0Pariseau<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/252528391\/Lego-fixes-dangerous-API-vuln-in-BrickLink-service\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/building-bricks-lego-microservices-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/building-bricks-lego-microservices-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/building-bricks-lego-microservices-adobe.jpeg 1280w\" alt ><\/p>\n<h5>Lego fixes dangerous API vulnerability in BrickLink service<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.computerweekly.com\/news\/252526432\/Digital-transformation-week-Amsterdam-The-growing-divide-between-the-haves-and-have-nots\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/data-network-connected-privacy-adobe [Converted]_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/data-network-connected-privacy-adobe%20[Converted]_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/data-network-connected-privacy-adobe%20[Converted].jpg 1280w\" alt ><\/p>\n<h5>Digital Transformation Week Amsterdam: The growing divide between the haves and have-nots<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/brans_pat.jpg\" alt=\"PatBrans\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Pat\u00a0Brans<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.computerweekly.com\/feature\/API-Management-assessing-reliability-and-security\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/code_g1195673150_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/code_g1195673150_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/code_g1195673150.jpg 1280w\" alt ><\/p>\n<h5>API management: Assessing reliability and security<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Cliff-Saran-Sep-2022-140x180px.jpg\" alt=\"CliffSaran\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Cliff\u00a0Saran<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/365532003\/Salt-Labs-identifies-OAuth-security-flaw-within-Bookingcom\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Dion Pecora<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security flaw in Booking.com OAuth implementation could be used to launch account takeovers, but researchers discovered and flagged the issue before it could be exploited in the wild By Sebastian Klovig Skelton, Senior reporter Published: 02 Mar 2023 13:00 Critical security flaws in Booking.com\u2019s implementation of Open Authorization (OAuth) could have enabled attackers to launch<\/p>\n","protected":false},"author":1,"featured_media":613503,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22744,119836,46],"tags":[],"class_list":{"0":"post-613502","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-identifies","8":"category-oauth","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/613502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=613502"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/613502\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/613503"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=613502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=613502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=613502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}