Millions of airline customers possibly affected by OAuth security flaw
Bug in travel service put millions at risk of cyberattack
![Password](https://cdn.mos.cms.futurecdn.net/BPTxHrmP9qQcvoA9SuGqcP-1200-80.jpg)
- A travel service, integrated into many airline service providers, carried a security flaw
- This could be abused to log into people's accounts and change their bookings
- It has since been reported and mitigated
A “popular, top-tier” travel service for hotel and car rentals was vulnerable to a flaw which allowed malicious actors to take over anyone’s account, a new report from API security firm Salt Labs has claimed.
By abusing the flaw, they would be able to book hotel rooms, rent cars, and modify any booking information, easily. To make matters worse, since the service is integrated into “dozens” of commercial airline online services, it would also allow miscreants to spend airline loyalty points, and more.
Salt Labs said millions of people could be at risk, but that it did not want to say the name of the affected service.
Stealing session cookies
Here is how a theoretical attack would work: A malicious actor would create a custom-tailored link and share it with the victim via usual channels (for example, email). The victim would click on the link, leading to the rental service provider, which would ask it to log in with the credentials associated with the airline service provider.
At that point, the rental platform generates a second link, and sends the victim back to the airline’s website, to log in using OAuth.
OAuth (Open Authorization) is an open standard for secure access delegation, allowing applications to access a user's data on another service without exposing their credentials.
Because of the custom-built link, the authentication response is returned to the attackers, including the user’s session token, which grants them access to the platform.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
"Since the manipulated link uses a legitimate customer domain (with manipulation occurring only at the parameter level rather than the domain level), this makes the attack difficult to detect through standard domain inspection or blocklist/allowlist methods," the researchers said in their write-up.
Salt Labs disclosed its findings to the affected service, which confirmed the flaw and deployed a fix.
You might also like
- Ransomware attack forces US government contractor ENGlobal to shut down some operations
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.