Cybersecurity researchers have disclosed details of a now-patched account takeover vulnerability affecting a popular online travel service for hotel and car rentals.
“By exploiting this flaw, attackers can gain unauthorized access to any user’s account within the system, effectively allowing them to impersonate the victim and perform an array of actions on their behalf – including booking hotels and car rentals using the victim’s airline loyalty points, canceling or editing booking information, and more,” API security firm Salt Labs said in a report shared with The Hacker News.
Successful exploitation of the vulnerability could have put millions of online airline users at risk, it added. The name of the company was not disclosed, but it said the service is integrated into “dozens of commercial airline online services” and enables users to add hotel bookings to their airline itinerary.
The shortcoming, in a nutshell, can be weaponized trivially by sending a specially crafted link that can be propagated via standard distribution channels such as email, text messages, or attacker-controlled websites. Clicking on the link is enough for the threat actor to hijack control of the victim’s account as soon as the login process is complete.
Sites that integrate the rental booking service have the option to login to the latter using the credentials associated with the airline service provider, at which point the rental platform generates a link and redirects the user back to the airline’s website to complete authentication via OAuth.
Once the sign in is successful, the users are directed to a website that adheres to the format “<rental-service>.<airlineprovider>.sec,” from where they can use their airline loyalty points to book hotels and car rentals.
The attack method devised by Salt Labs involves redirecting the authentication response from the airline site, which includes the user’s session token, to a site under the attacker’s control by manipulating a “tr_returnUrl” parameter, effectively allowing them to access the victim’s account in an unauthorized manner, including their personal information.
“Since the manipulated link uses a legitimate customer domain (with manipulation occurring only at the parameter level rather than the domain level), this makes the attack difficult to detect through standard domain inspection or blocklist/allowlist methods,” security researcher Amit Elbirt said.
Salt Labs has described service-to-service interactions as a lucrative vector for API supply chain attacks, wherein an adversary targets the weaker link in the ecosystem to break into systems and steal private customer data.
“Beyond mere data exposure, attackers can perform actions on behalf of the user, such as creating orders or modifying account details,” Elbirt added. “This critical risk highlights the vulnerabilities in third-party integrations and the importance of stringent security protocols to protect users from unauthorized account access and manipulation.”
