Salt Labs researchers identified vulnerabilities which could have enabled attackers to take over users’ accounts, exfiltrate private account data, and cancel or book reservations and perform other actions on their behalf
PALO ALTO, Calif. – March 2, 2023 – Salt Security, the leading API security company, today released new threat research from Salt Labs highlighting several critical security flaws in Booking.com. The flaws were found in the implementation of the Open Authorization (OAuth) social-login functionality utilized by Booking.com, which had the potential to affect users logging into the site through their Facebook account. The OAuth misconfigurations could have allowed for large-scale account takeover (ATO) on customers’ accounts, enabling bad actors to:
- Manipulate platform users to gain complete control over their accounts
- Leak Personal Identifiable Information (PII) and other sensitive user data stored internally by the sites
- Perform any action on behalf of the user, such as booking or canceling reservations and ordering transportation services
Salt Labs, the research arm of Salt Security and a public forum for API security education, discovered the API security gaps and provided the vulnerability analysis.
Salt Labs researchers discovered security vulnerabilities in the social login functionality used by booking.com, implemented with an industry-standard protocol called OAuth. Popular across websites and web services, OAuth lets users log into sites using their social media accounts, in one-click, instead of via “traditional” user registration and username/password authentication.
While OAuth provides users with a much easier experience in interacting with websites, its complex technical back end can create security issues with the potential for exploitation. By manipulating certain steps in the OAuth sequence on the Booking.com site, Salt Labs researchers found they could hijack sessions and achieve account takeover (ATO), stealing user data and performing actions on behalf of users.
Any Booking.com user configured to log in using Facebook might have been affected by this issue. Given the popularity of using the “log in with Facebook” option, millions of users could have been at risk from this issue. Kayak.com (part of the same parent company, Booking Holdings Inc.) could have also been affected, as it allows users to log in using their Booking.com credentials, increasing the number of users susceptible to these security flaws by millions.
Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Booking.com, and all issues were remediated swiftly, with no evidence of these flaws having been exploited in the wild.
“OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,” said Yaniv Balmas, VP of Research, Salt Security. “As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors. Security vulnerabilities can happen on any website, and as a result of rapid scaling, many organizations remain unaware of the myriad of security risks that exist within their platforms.”
According to the Salt Security State of API Security Report, Q3 2022, Salt customers experienced a 117% increase in API attack traffic while their overall API traffic grew 168%. The Salt Security API Protection Platform enables companies to identify risks and vulnerabilities in APIs before they are exploited by attackers, including those listed in the OWASP API Security Top 10. The platform protects APIs across their full lifecycle – build, deploy and runtime phases – utilizing cloud-scale big data combined with AI and ML to baseline millions of users and APIs. By delivering context-based insights across the entire API lifecycle, Salt enables users to detect the reconnaissance activity of bad actors and block them before they can reach their objective. The exploits the Salt Labs team performed would have immediately triggered the Salt platform to highlight the attack.
To learn more about Salt Security or to request a demo, please visit https://content.salt.security/demo.html.