Security research discovers vulnerabilities in popular travel service

  ICT, Rassegna Stampa, Security
image_pdfimage_print

Research from Salt Labs reveals a vulnerability in a popular online travel service, specializing in hotel and car rentals while integrating with airline services. 

The flaw discovered is an account takeover vulnerability, which could allow a malicious actor to gain unauthorized access to an account and impersonate the user. From there, a malicious actor could perform a variety of actions, including: 

  • Cancelling booking information 
  • Editing booking information 
  • Booking rentals with the users airline loyalty points 

This vulnerability can be leveraged via a malicious link evading the travel services security measures. This link may be distributed through text messages, emails or a website controlled by the threat actor. Upon a user clicking the link and authenticating into the online service, the malicious actor gains full access to their account. 

Mr. Akhil Mittal, Senior Manager at Black Duck, comments, “This vulnerability shows a growing and recurring issue in API security — convenience often takes priority over security. Travel platforms are built to provide seamless user experiences, but that ease of use can create blind spots. Here, attackers didn’t use sophisticated techniques; they exploited weak validation processes and a failure to manage trust between integrated systems.

“What stands out to me is the lack of granular access controls and proper token validation. These are basics in API security, but they’re often overlooked in favor of faster integrations or simpler designs. Organizations need to step back and ask: Are we truly enforcing strong authentication at every step? Are we watching for unusual behaviors, like spikes in link activity or unexpected account access? And are we taking the time to understand the risks our third-party partners might bring into the mix?

“This isn’t just about fixing a technical issue or patching vulnerabilities. When systems are interconnected, the risks don’t just add up; they multiply. One flaw in an API can quickly spread, putting millions of users at risk. That’s why APIs need smarter security, like dynamic trust validation, validate behavior and detect anomalies in real time to prevent exploitation.” 

https://www.securitymagazine.com/articles/101338-security-research-discovers-vulnerabilities-in-popular-travel-service

Lascia un commento