Booking.com’s OAuth Implementation Allows Full Account Takeover
Flaws in the authorization system of the Booking.com website could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website’s sister platform, Kayak.com, researchers have found.
Researchers from Salt Security discovered the issues in the platform’s implementation of OAuth, an open authorization standard designed to allow cross-application access delegation for different sites to share login credentials, according to a blog post published today. Though it was not specifically designed for this purpose, the protocol has become a standard for allowing websites to read data from Facebook profiles, or log in to a site using Google credentials, for example. Most people are familiar with the “Log in with Facebook”-type options for some online accounts that allow users to sign in without creating a new set of login credentials.
“A security breach [via] OAuth can lead to identity theft, financial fraud, and access to all sorts of personal information including credit card numbers, private messages, health records, and more,” Yaniv Balmas, vice president of research at Salt Security, wrote in the post.
Specifically, researchers discovered an open redirection vulnerability in Booking.com and achieved log in success by accessing the site through the “log in with Facebook” option. They ultimately exploited three security issues and chained them together to gain full account takeover, according to the post.
“Once logged in, the attacker could have performed any action on behalf of the compromised users and gain full visibility into the account, including all of a user’s personal information,” Balmas wrote.
The issue could have caused a serious data breach for customers of the widely used hotel reservations website, which is part of the Booking Holdings Fortune 500 company and has more than 500 million visitors per month, he said. The site also allows users to rent cars and book taxis.
“An attacker could potentially make unauthorized requests on behalf of a victim, cancel existing reservations, or access sensitive personal information such as booking history, personal preferences, and future reservations,” Balmas wrote in the post.
Salt Security disclosed the issues to Booking.com, which researchers lauded for responding quickly to address and completely mitigate them. Moreover, there had been no evidence of compromise to the Booking.com platform before the issues were resolved, Booking.com said in a statement provided by Salt Security.
“On receipt of the report from Salt Security, our teams immediately investigated the findings and established that there had been no compromise to the Booking.com platform, and the vulnerability was swiftly resolved,” the company said. “We take the protection of customer data extremely seriously.”
How OAuth Works
To understand how researchers compromised Booking.com’s OAuth implementation, it’s important to understand how the standard in a site operates and how the Booking.com’s interpretation of it was flawed.
OAuth comes into play when a user logs in to a website and clicks on the “Log in with Facebook” option that many sites use to allow cross-platform authentication. The site will then open a new window to Facebook and, if it’s the user’s first time visiting the site, ask for permission to share details with the site. If not, Facebook automatically authenticates the user to the site.
Once the user clicks on a button to, for example, “Continue as Jane,” Facebook generates a secret token that is private for the website and associated with the user’s Facebook profile. Facebook then uses the token to direct the user to the website, which uses the token to communicate directly with Facebook to get the user’s email address. Facebook then approves the address and its association with the user, which the site uses to log in the user successfully.
All of this communication between Facebook and the sites involves various redirections to different URLs, which is where the researchers were able to exploit the implementation of OAuth to steal the token or code of the victim, they said. Bad implementations are not uncommon; indeed, in a breach last May, attackers used OAuth tokens stolen from Salesforce subsidiary Heroku to gain access sensitive customer account data.
Finding Means for Exploit
Knowing this token is where the attacker opportunity lies, the researchers investigated the security of the standard’s implementation by causing “unexpected behaviors of the flow” by changing various parameters to see how this would allow them to launch a successful attack, Balmas said. What they found were ways to manipulate the URL redirects that occur in the communication between the two sites to redirect users to URLs controlled by the researchers, thus creating an open redirection bug in Booking.com.
“We created a link that takes over any account on Booking.com that uses Facebook,” Balmas wrote. “The link itself points to a legitimate Facebook.com or Booking.com domain, which makes it difficult to detect (manually or automatically).”
This method also allowed for account takeover on Kayak.com and affected users signing into Booking.com from Google, the researchers said.
Wider Cyber-Risk of Poor OAuth Implementations
While researchers only divulged how they used OAuth to compromise Booking.com in the report, they discovered other sites with risk from improperly applying the authentication protocol, Balmas tells Dark Reading.
“We have observed several other instances of OAuth flaws on popular websites and Web services,” he says. “The implications of each issue vary and depends on the bug itself. In our cases, we are talking about full account takeovers across them all. And there are surely many more that are yet to be discovered.”
OAuth provides an easy solution to bypass the user login process for site owners, reducing friction for which is a “long and frustrating” problem, Balmas says. However, though it seems simple, implementing the technology successfully and securely is actually very complicated in terms of proper technical implementation, and a single small wrong move can have a huge security impact, he says.
“To put it in other words — it is very easy to put a working social login functionality on a website, but it is very hard to do it correctly,” Balmas tells Dark Reading.
Overall, Balmas advises site owners to treat OAuth “as a sensitive part of your service and either build the internal deep knowledge of the field, undergo continuous security testing and reviews to validate your assumptions, or, of course, both.”
He adds, “This is general advice that is relevant for any sensitive path/technology that is part of one’s service.”