Booking.com says typo bug can give strangers access to your whole trip

(Image credit: Shutterstock)

Booking.com apparently links reservations to accounts without any verification
User finds typing the wrong email address could link your vacation to another account
The company did not remove a false booking from one user’s account

Travellers using Booking.com to pay for accommodation and transport have been warned about a simple typo bug that could see them share their private trip details with strangers, giving them access to sensitive information and even allowing them to take control over bookings.

The issue came to light when a Booking.com user, named as Alfie, received an unexpected email confirming a trip that he hadn’t booked.

Although he exercised caution by not following links on the email, suspecting it was a phishing scam, the mysterious booking had been added to his account, confirming suspicions that the email was indeed from Booking.com.

Watch out for this Booking.com bug

After failing to receive an explanation from the company’s support team, Alfie shared the story with Ars Technica which pressed Booking.com for answers.

It was later revealed the problem occurred when another user had entered Alfie’s email address, presumably by accident, causing the reservation to link to his account. Booking.com has therefore stated the incident is neither a “system glitch” nor a “security breach,” however we now have questions about the robustness of Booking.com’s system.

Booking.com said (via Ars Technica): “Following our investigation, we found that the issue occurred due to a customer input error during the reservation process, where he inadvertently entered an incorrect email address. That email address, however, belonged to another Booking.com customer which caused the reservation to be linked to their account.”

Alfie’s experience highlights a worrying loophole where Booking.com’s system automatically adds bookings to accounts via the email address provided, without any further verification, making it easy to inadvertently share private information with others and lose your own booking.

Although the chances of typing a completely different email address are pretty slim, a single misplaced letter could direct the booking to another closely related email address.

Moreover, Booking.com declined to remove the trip from Alfie’s account, stating that it would be a violation of the privacy of the user who actually booked the trip.

Create secure accounts with the best password generators and best password managers
Your Netflix account is not suspended – how to avoid the latest SMS scam
Consider using the best authentication apps

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!