Cybersecurity researchers at Salt Labs have identified and disclosed a now-patched vulnerability in a widely used online travel booking service for hotels and car rentals, The Hacker News reports.
The flaw could have allowed threat actors to take control of user accounts, enabling them to impersonate targets when booking or canceling reservations and using victims' airline loyalty points. The travel service is integrated with several commercial airline platforms, though the company's exact name was not revealed. The vulnerability was exploited through a specially crafted link that, when clicked, redirected authentication responses to an attacker-controlled site. The method leveraged a weakness in a certain parameter that allowed unauthorized access to user accounts. Since the attack relied on manipulating parameters rather than domain-level changes, it was difficult to detect using standard security filters, the researchers said. Salt Labs warned that such service-to-service interactions are prime targets for API-based supply chain attacks, and that it "highlights the vulnerabilities in third-party integrations and the importance of stringent security protocols to protect users from unauthorized account access and manipulation."