Vulnerability Management, Application security

Account takeover flaw discovered in popular travel booking service

A United Airlines plane takes off at Los Angeles International Airport (LAX) on October 1, 2020 in Los Angeles, California. LAX was among the airports that saw their websites go down as a result of a DDoS attack Monday.   (Photo by Mario Tama/Getty Images)

Cybersecurity researchers at Salt Labs have identified and disclosed a now-patched vulnerability in a widely used online travel booking service for hotels and car rentals, The Hacker News reports.

The flaw could have allowed threat actors to take control of user accounts, enabling them to impersonate targets when booking or canceling reservations and using victims' airline loyalty points. The travel service is integrated with several commercial airline platforms, though the company's exact name was not revealed. The vulnerability was exploited through a specially crafted link that, when clicked, redirected authentication responses to an attacker-controlled site. The method leveraged a weakness in a certain parameter that allowed unauthorized access to user accounts. Since the attack relied on manipulating parameters rather than domain-level changes, it was difficult to detect using standard security filters, the researchers said. Salt Labs warned that such service-to-service interactions are prime targets for API-based supply chain attacks, and that it "highlights the vulnerabilities in third-party integrations and the importance of stringent security protocols to protect users from unauthorized account access and manipulation."

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds