Critical security flaws in Booking.com’s implementation of Open Authorization (OAuth) could have enabled attackers to launch large-scale account takeovers, putting millions of people’s sensitive personal data at risk, finds threat research by Salt Labs.
An industry-standard social login protocol, OAuth allows users to log in to sites via their social media accounts, but by manipulating certain steps in Booking.com’s authorisation sequence, Salt Labs researchers found they could hijack sessions and conduct account takeovers.
Gaining complete control of people’s accounts in this way would have enabled attackers to leak personal identifiable information and other sensitive user data, as well as perform any action on behalf of the user, including making bookings or cancellations.
The researchers said that anyone configured to log in to Booking.com via Facebook would have been vulnerable and that – given the popularity of the feature and the fact that the site has up to 500 million visitors each month – millions could have been affected by a successful exploit.
The threat was compounded by the fact that attackers could then use the compromised Booking.com login to gain access to sister company’s Kayak.com user accounts.
“OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,” said Yaniv Balmas, vice-president of research at Salt Security.
“As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors. Security vulnerabilities can happen on any website, and as a result of rapid scaling, many organisations remain unaware of the myriad of security risks that exist within their platforms.”
Upon discovering the vulnerabilities, Salt Labs – the research arm of application programming interface (API) security company Salt Security – followed coordinated disclosure practices with Booking.com, and all issues were remediated. There is no evidence of the flaws having been exploited in the wild.
“On receipt of the report from Salt Security, our teams immediately investigated the findings and established that there had been no compromise to the Booking.com platform, and the vulnerability was swiftly resolved,” said a Booking.com spokesperson.
“We take the protection of customer data extremely seriously. Not only do we handle all personal data in line with the highest international standards, but we are continuously innovating our processes and systems to ensure optimal security on our platform, while evaluating and enhancing the robust security measures we already have in place.
“As part of this commitment, we welcome collaboration with the global security community, and our Bug Bounty Programme should be utilised in these instances.”
The researchers have also published a detailed technical breakdown of the vulnerability and how it was exploited, which runs through how they were able to string together three sperate security issues to achieve account takeovers.
“The vulnerability described in this document is a combination of three minor security gaps. Most of the focus is on the first security gap, which allows the attacker to choose another path for the redirect_uri,” they said.
“When you do an integration with Facebook or another vendor, it’s extremely important to provide hard-coded paths for the redirect_uri in the Facebook configuration.”
According to the Salt security state of API security report, Q3 2022, Salt customers experienced a 117% increase in API attack traffic while their overall API traffic grew 168%
The growth trend has seen an increasing number of high-profile incidents linked to API traffic this year, including the recent attack on Australian telco Optus, which saw names, addresses, dates of birth, phone numbers, email addresses, and driving licence and passport data relating to 11 million customers stolen and held to ransom – an incident so serious in its scope that the Australian government is now planning to amend its telecoms security regulations.