- A travel service, integrated into many airline service providers, carried a security flaw
- This could be abused to log into people’s accounts and change their bookings
- It has since been reported and mitigated
A “popular, top-tier” travel service for hotel and car rentals was vulnerable to a flaw which allowed malicious actors to take over anyone’s account, a new report from API security firm Salt Labs has claimed.
By abusing the flaw, they would be able to book hotel rooms, rent cars, and modify any booking information, easily. To make matters worse, since the service is integrated into “dozens” of commercial airline online services, it would also allow miscreants to spend airline loyalty points, and more.
Salt Labs said millions of people could be at risk, but that it did not want to say the name of the affected service.
Stealing session cookies
Here is how a theoretical attack would work: A malicious actor would create a custom-tailored link and share it with the victim via usual channels (for example, email). The victim would click on the link, leading to the rental service provider, which would ask it to log in with the credentials associated with the airline service provider.
At that point, the rental platform generates a second link, and sends the victim back to the airline’s website, to log in using OAuth.
OAuth (Open Authorization) is an open standard for secure access delegation, allowing applications to access a user’s data on another service without exposing their credentials.
Because of the custom-built link, the authentication response is returned to the attackers, including the user’s session token, which grants them access to the platform.
“Since the manipulated link uses a legitimate customer domain (with manipulation occurring only at the parameter level rather than the domain level), this makes the attack difficult to detect through standard domain inspection or blocklist/allowlist methods,” the researchers said in their write-up.
Salt Labs disclosed its findings to the affected service, which confirmed the flaw and deployed a fix.
Leave a comment