API Security Flaws Found In Booking.com Point To A Larger Problem

Guest: Yaniv Balmas (LinkedIn)
Company: Salt Security (Twitter)

Many websites have a social login functionality that allows users to log in using their Google, Facebook, Twitter, or other accounts. It provides the convenience of not having to enter a username and password.

In this episode of TFiR: Let’s Talk, Swapnil Bhartiya sits down with Yaniv Balmas, VP of Research at Salt Security, to talk about the API security flaws that were found in the implementation of the Open Authorization (OAuth) social-login functionality utilized by Booking.com, and why it is a symptom of a bigger issue.

Key highlights of this video interview:

A flaw in Booking.com’s Facebook logging functionality allowed Salt Security to basically take over any account that’s using this functionality, or even accounts that are not using functionality but are just logged into Facebook while the attack is going on.
OAuth or its OIDC extension is the industry standard protocol that supports social login. While it’s easy for a service or site administrator to auto-integrate social login into a site and it enhances user experience, there are technical difficulties in implementing it correctly. The mechanics are very complex.
In this specific case, the problem lies in the way Booking.com implemented OAuth. It was a small glitch that is not apparent, but an attacker who knows the protocol well enough may be able to pinpoint it, just as Salt Security did. Once exploited, the impact is dramatic because an attacker can immediately take over millions of Booking.com user accounts. The compromised Booking.com login can also be used to gain access to sister company’s Kayak.com user accounts.
As soon as Salt Security reported the flaw, Booking.com fixed everything and the vulnerability is no longer there.
Salt Security has found several other targets, which are not yet published, that are vulnerable to different flavors of the same issue.

Advice for companies to prevent a similar situation:

Never implement something that you don’t feel that you deeply understand. If you don’t have this knowledge internally within your own organization, seek other parties that have this knowledge and will be able to advise you on it. This is especially true for technologies that support authentication or authorization because these are very critical points within any web site or web service.
If using OAuth, make sure that all your implementation details are correct, so you don’t expose your users to any unnecessary security flaws. Do an internal audit, external audit, and third parties to help you protect where you missed.
Have a second line of defense, such as third-party security products, that you can implement that will help you try to detect or prevent attacks.
Even if you do everything, you can still be vulnerable. You need to minimize your exposure as much as possible. Once you find something, you need to react as quickly and as efficiently as you can.

This summary was written by Camille Gregory.

You may also like

Open Platform for Enterprise AI (OPEA) aims to foster collaboration in Enterprise AI

Why AWS backs Valkey, an open source alternative to Redis | David Nalley

LF Energy leads digitalization efforts to tackle decarbonization challenges

Carbon Data Specification Consortium helps drive climate solutions with carbon data standardization

Tackle data complexity with Hasura v3

Acorn Labs’ GPTScript aims to redefine coding for AI applications