API Security Flaw Found in Booking.com Allowed Full Account Takeover

Written by

Several security flaws have been found in the implementation of the Open Authorization (OAuth) social-login feature used by the online travel agency Booking.com.

The vulnerabilities discovered by Salt Security could potentially affect users logging into the site via their Facebook accounts.

"The OAuth misconfigurations could have allowed for both large-scale account takeover (ATO) on customers' accounts and server compromise," wrote Salt Security security researcher Aviad Carmel.

The security expert said that while OAuth provides a more effortless user experience in interacting with websites, its complex technical back-end can create security issues with potential exploitation.

"OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world," said the company's VP of Research, Yaniv Balmas. "As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors."

In particular, the researcher said they uncovered the vulnerabilities by manipulating specific steps in the OAuth sequence on the Booking.com site.

"[We] found they could hijack sessions and achieve account takeover (ATO), stealing user data and performing actions on behalf of users," Balmas wrote.

After discovering the flaws, Salt Labs disclosed them to Booking.com, and the company reportedly fixed them.

"On receipt of the report from Salt Security, our teams immediately investigated the findings and established that there had been no compromise to the Booking.com platform, and the vulnerability was swiftly resolved," a company spokesperson said.

Salt Labs said they saw no evidence of it having been exploited in the wild. The discovery comes almost a year after GitHub confirmed several organizations were compromised by a threat actor using stolen OAuth tokens to access their private repositories.

More recently, Microsoft revealed that threat actors installed OAuth applications on compromised cloud tenants and used them to control Exchange servers and spread spam.

Image credit: II.studio / Shutterstock.com

What’s hot on Infosecurity Magazine?