- Booking.com apparently links reservations to accounts without any verification
- User finds typing the wrong email address could link your vacation to another account
- The company did not remove a false booking from one user’s account
Travellers using Booking.com to pay for accommodation and transport have been warned about a simple typo bug that could see them share their private trip details with strangers, giving them access to sensitive information and even allowing them to take control over bookings.
The issue came to light when a Booking.com user, named as Alfie, received an unexpected email confirming a trip that he hadn’t booked.
Although he exercised caution by not following links on the email, suspecting it was a phishing scam, the mysterious booking had been added to his account, confirming suspicions that the email was indeed from Booking.com.
After failing to receive an explanation from the company’s support team, Alfie shared the story with Ars Technica which pressed Booking.com for answers.
It was later revealed the problem occurred when another user had entered Alfie’s email address, presumably by accident, causing the reservation to link to his account. Booking.com has therefore stated the incident is neither a “system glitch” nor a “security breach,” however we now have questions about the robustness of Booking.com’s system.
Booking.com said (via Ars Technica): “Following our investigation, we found that the issue occurred due to a customer input error during the reservation process, where he inadvertently entered an incorrect email address. That email address, however, belonged to another Booking.com customer which caused the reservation to be linked to their account.”
Alfie’s experience highlights a worrying loophole where Booking.com’s system automatically adds bookings to accounts via the email address provided, without any further verification, making it easy to inadvertently share private information with others and lose your own booking.
Although the chances of typing a completely different email address are pretty slim, a single misplaced letter could direct the booking to another closely related email address.
Moreover, Booking.com declined to remove the trip from Alfie’s account, stating that it would be a violation of the privacy of the user who actually booked the trip.
Leave a comment