OAuth vulnerabilities on Booking
Security researchers at Salt Security Inc. today released new threat research that highlights critical security flaws found on the website of popular hotel booking service Booking Holdings Inc.
The flaws were found in the way those who designed the Booking.com site implemented Open Authorization social-login functionality, potentially exposing any users logging into the site through their Facebook accounts. The OAuth misconfigurations could have allowed for large-scale account takeover of customers’ accounts and server compromise.
Although there’s no proof that bad actors had exploited the OAuth misconfigurations to gain access to customer accounts, the access could have resulted in severe consequences. Had they gained access, they could have manipulated platform users to gain complete control over user accounts, gained access to personal identifiable information and other sensitive user data stored by Booking.com, and performed actions on behalf of the user, such as booking or canceling reservations and ordering transportation services.
The researchers at Salt Labs, the research arm of Salt Security, have gone public with their findings to highlight the risks presented in OAuth implementations. Popular across websites and web services, OAuth lets users log into sites using their social media accounts in one click, instead of via “traditional” user registration and username and password authentication.
OAuth provides users with a much easier experience in interacting with websites, but its complex technical back end can create security issues with the potential for exploitation, the researchers say.
The same OAuth vulnerabilities were also found on other sites owned and operated by Booking Holdings, including Kayak.com. Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Booking.com and all issues were remediated swiftly.
“OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world,” explained Yaniv Balmas, vice president of research at Salt Security. “As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors.”
Balmas added that “security vulnerabilities can happen on any website, and as a result of rapid scaling, many organizations remain unaware of the myriad of security risks that exist within their platforms.”