A recent vulnerability in an online travel service used by various commercial airline platforms has been disclosed, posing a significant security risk. The flaw, identified as an OAuth redirect vulnerability, could allow attackers to hijack user accounts, potentially putting millions of online airline users in danger. By exploiting this flaw, attackers could impersonate victims and make unauthorized bookings, including using the victim’s loyalty points to book hotels or car rentals. The vulnerability arises when a user logs in through an airline service, which then redirects to a travel service to finalize authentication.
The flaw is particularly dangerous because it can be exploited with minimal effort. Attackers can send a specially crafted link that users may click unknowingly, allowing the attacker to gain access to their account immediately after the login process is complete. The vulnerability exists in the redirect flow between the airline service and the hotel and car rental platform, where the victim’s session token is manipulated to be sent to a malicious site under the attacker’s control.
This flaw has been described as a severe risk to users’ personal information and accounts.
Due to the nature of the vulnerability, where manipulation occurs at the parameter level rather than the domain level, the attack is difficult to detect. Since the attacker uses a legitimate customer domain in their attack, the method avoids detection through standard domain inspection or blocklisting techniques. This subtlety makes the flaw more dangerous, as it can easily bypass traditional security measures like blocklists or allowlists, making it harder for users and security systems to identify malicious activity.
The vulnerability was uncovered by API security firm Salt Labs, which has emphasized the growing threat of service-to-service interactions being targeted in API supply chain attacks. These kinds of attacks exploit weaker links in the ecosystem, often third-party integrations, to breach systems and access sensitive customer data. Salt Labs has highlighted the need for improved security measures, especially in services involving third-party integrations, to prevent unauthorized account access and mitigate the potential risks posed by such vulnerabilities.