Salt Security, the API security company, has released new threat research from Salt Labs highlighting several critical security flaws in Booking.com. The flaws were found in the implementation of the Open Authorization (OAuth) social-login functionality utilized by Booking.com, which had the potential to affect any users logging into either site through their Facebook account. The OAuth misconfigurations could have allowed for both large-scale account takeover (ATO) on customers’ accounts and server compromise, enabling bad actors to:

● Manipulate platform users to gain complete control over their accounts
● Leak Personal Identifiable Information (PII) and other sensitive user data stored internally by the sites
● Perform any action on behalf of the user, such as booking or canceling reservations and ordering transportation services

Salt Labs researchers discovered security vulnerabilities in the social login functionality used by booking.com, implemented with an industry-standard protocol called OAuth. Popular across websites and web services, OAuth lets users log into sites using their social media accounts, in one-click, instead of via “traditional” user registration and username/password authentication.

While OAuth provides users with a much easier experience in interacting with websites, its complex technical back end can create security issues with the potential for exploitation. By manipulating certain steps in the OAuth sequence on the Booking.com site, Salt Labs researchers found they could hijack sessions and achieve account takeover (ATO), stealing user data and performing actions on behalf of users.

Any Booking.com user configured to log in using Facebook might have been affected by this issue. Booking.com supports more than 100 million registered users. Given the popularity of using the “log in with Facebook” option, millions of users could have been at risk from this issue. Kayak.com (part of the same parent company, Booking Holdings Inc.) could have also been
affected, as it allows users to log in using their Booking.com credentials, increasing the number of users susceptible to these security flaws by millions.

Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Booking.com, and all issues were remediated swiftly, with no evidence of these flaws having been exploited in the wild.