Online travel giant says it was not compromised through recently-discovered vulnerability
Online travel agency giant Booking.com said Friday that it was not compromised through a vulnerability on the platform that was recently discovered by researchers.
Several publications on Thursday reported that researchers from Salt Security said they found several critical security flaws on Booking.com and its sister company Kayak. The flaws involved the tool that allows people to log in to the sites through their Facebook or Google accounts.
In a statement, Booking.com said it immediately investigated the findings after receiving Salt Security’s report, "resolved" the vulnerability, and said there had been no compromise of their platform.
“We take the protection of customer data extremely seriously. Not only do we handle all personal data in line with the highest international standards, but we are continuously innovating our processes and systems to ensure optimal security on our platform, while evaluating and enhancing the robust security measures we already have in place,” the company told The Record.
“As part of this, we welcome collaboration with the global security community and our Bug Bounty Program should be utilized in these instances.”
Kayak did not respond to a request for comment.
Salt Security researchers explained that the vulnerabilities center on the implementation of Open Authorization (OAuth), a tool that allows users to log in through other social media accounts, including Facebook and Google.
Many of the internet’s most popular websites allow people to log into accounts through OAuth with one click instead of using “traditional” user registration and username/password authentication.
If exploited, the bugs could have allowed for both large-scale account takeover on customers’ accounts and server compromise, the researchers said – giving access to hackers to manipulate the platform, leak personal information and perform actions on behalf of users. Hackers could have booked hotels, canceled reservations or ordered transportation services.
“OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,” said Yaniv Balmas, vice president of research at Salt Security, an application programming interface (API) security platform.
“As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors. Security vulnerabilities can happen on any website, and as a result of rapid scaling, many organizations remain unaware of the myriad of security risks that exist within their platforms.”
Salt Security researchers noted that OAuth 2.0 is used in a range of contexts, like allowing Slack users to share their Google calendars so colleagues can see when they are in meetings.
They explained that OAuth was not was not originally intended to be an authentication framework, but it has emerged as a widely-used mechanism because it allows ecommerce websites to authenticate their accounts and make purchases without having to enter their credentials multiple times.
“While OAuth provides users with a much easier experience in interacting with websites, its complex technical back end can create security issues with the potential for exploitation,” the researchers said.
“By manipulating certain steps in the OAuth sequence on the Booking.com site, Salt Labs researchers found they could hijack sessions and achieve account takeover, stealing user data and performing actions on behalf of users.”
Booking.com has more than 100 million registered users and Salt researchers said it is likely that millions are using the “log in with Facebook” option.
The company said overall, its customers are experiencing steep increases in the kind of API attack traffic that would target vulnerabilities like the one seen on Booking.com. They saw a 117% year-on-year increase in such traffic among their customers in 2022.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.