Online travel agency Booking.com recently had serious vulnerabilities discovered that could have enabled attackers to take over user accounts. The flaws were identified by API security company Salt Security in December 2022, with patches being rolled out in the following weeks.
The vulnerabilities centered around how Booking.com implemented OAuth, the authorization standard used by many online services. Specifically, the OAuth integration with Facebook was flawed, allowing an attacker to gain control of a user’s account and perform actions on their behalf.
Booking.com’s sister website, Kayak.com, which allows users to log in using their Booking account, was also impacted by the vulnerabilities. To exploit the weaknesses, attackers needed to trick the targeted user into clicking on a specially crafted link, allowing them to capture a logged-in user’s authentication code for Booking.com.
They would then need to access their own Booking.com account from a mobile application and replace their own code with the victim’s code to gain full access to the account. Salt Security believes that millions of users could have been exposed to attacks exploiting these vulnerabilities.
Salt Security disclosed technical details of the vulnerabilities on Thursday, providing information about the weaknesses and how they could have been exploited. This information is vital for users and administrators to understand the risks they face when using online services such as Booking.com.
The discovery highlights the importance of implementing secure authentication mechanisms to protect users from potential account takeovers and other malicious attacks.