- A travel service, integrated into many airline service providers, has worn a security flaw
- This could be mistreated to connect to people’s accounts and change their reservations
- It has since been reported and attenuated
A high -level “popular” travel service for the rental of hotel and cars was vulnerable to a defect that allowed the malicious actors to take over anyone, said a new report by the API Salt Labs Security Company .
By abusing the fault, they could book hotel rooms, rent cars and easily modify all the booking information. To make things worse, since the service is integrated into “dozens” of online services of commercial airlines, it would also allow disbelievers to spend points of loyalty of airlines, and more.
Salt Labs said millions of people could be in danger, but that it did not mean the name of the affected service.
Steal session cookies
Here is how a theoretical attack would work: a malicious actor would create a tailor-made link and share it with the victim via usual channels (for example, an e-mail). The victim would click on the link, leading to the rental service provider, which would ask him to connect with the identification information associated with the airline provider.
At this point, the rental platform generates a second link and returns the victim to the airline website, to connect using Oauth.
OAUTH (OPEN AUTHORIZATION) is an open standard for the secure access delegation, allowing applications to access the data of one user on another service without exposing their identification information.
Due to the tailor-made link, the authentication response has returned to attackers, including the user’s session token, which gives them access to the platform.
“Since the manipulated link uses a legitimate customer domain (with manipulation that occurs only in parameters rather than in terms of the field), this makes the attack difficult to detect thanks to the inspection of the standard domain or To the list of motorway blocks / lists, “said the researchers in their writing -above.
Salt Labs revealed his results to the affected service, which confirmed the fault and deployed a correction.
