UPDATED 08:00 EDT / MARCH 02 2023

SECURITY

OAuth vulnerabilities on Booking.com could have resulted in account takeovers

Security researchers at Salt Security Inc. today released new threat research that highlights critical security flaws found on the website of popular hotel booking service Booking Holdings Inc.

The flaws were found in the way those who designed the Booking.com site implemented Open Authorization social-login functionality, potentially exposing any users logging into the site through their Facebook accounts. The OAuth misconfigurations could have allowed for large-scale account takeover of customers’ accounts and server compromise.

Although there’s no proof that bad actors had exploited the OAuth misconfigurations to gain access to customer accounts, the access could have resulted in severe consequences. Had they gained access, they could have manipulated platform users to gain complete control over user accounts, gained access to personal identifiable information and other sensitive user data stored by Booking.com, and performed actions on behalf of the user, such as booking or canceling reservations and ordering transportation services.

The researchers at Salt Labs, the research arm of Salt Security, have gone public with their findings to highlight the risks presented in OAuth implementations. Popular across websites and web services, OAuth lets users log into sites using their social media accounts in one click, instead of via “traditional” user registration and username and password authentication.

OAuth provides users with a much easier experience in interacting with websites, but its complex technical back end can create security issues with the potential for exploitation, the researchers say.

The same OAuth vulnerabilities were also found on other sites owned and operated by Booking Holdings, including Kayak.com. Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Booking.com and all issues were remediated swiftly.

“OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,” explained Yaniv Balmas, vice president of research at Salt Security. “As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors.”

Balmas added that “security vulnerabilities can happen on any website, and as a result of rapid scaling, many organizations remain unaware of the myriad of security risks that exist within their platforms.”

Image: Ivan Radic/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.