- A travel service, integrated into many air service providers, brought a safety defect
- This could be abused to log in to people’s accounts and change their reservations
- Since then it has been reported and mitigated
A “first -level popular” travel service for hotels and cars rentals was vulnerable to a failure that allowed malicious actors to take care of anyone’s account, claimed a new report from the security firm API Salt Labs.
By abusing the failure, hotel rooms could reserve, rent cars and modify any reservation information easily. To make things worsen, since the service is integrated into “dozen” of online services of commercial airlines, it would also allow criminals to spend points of loyalty of the airline, and more.
Salt Labs said millions of people could be at risk, but that he did not mean the name of the affected service.
Session cookies theft
This is how a theoretical attack would work: a malicious actor would create a custom link and share it with the victim through usual channels (for example, email). The victim would click on the link, which leads to the rental services provider, which would ask you to log in with the credentials associated with the airline service provider.
At that time, the rental platform generates a second link and sends the victim to the airline website to log in with Oauth.
Oauth (open authorization) is an open standard for the safe access delegation, which allows applications to access one user’s data in another service without exposing their credentials.
Due to the personalized link, the authentication response is returned to the attackers, including the user’s session token, which gives them access to the platform.
“Since the manipulated link uses a legitimate domain of the client (with the manipulation that occurs only at the parameter level instead of the domain level), this makes the attack difficult to detect through the inspection of the standard domain or the Block list methods/rent, “the researchers said in their writing -arriba.
Salt Labs revealed his findings to the affected service, which confirmed the fault and displayed a solution.
