Booking.com, one of the world’s largest online travel agencies, recently patched a vulnerability in its implementation of the OAuth protocol that could have allowed attackers to gain access to customer accounts by simply tricking them into clicking a link. The attack combined three separate issues that on their own could be categorized as low risk and could be introduced by many developers into their implementations.
“For the OAuth issues we found, had a bad actor discovered and successfully exploited them, that attacker could have taken over the accounts of users logging in via Facebook,” researchers from Salt Security, a company that specializes in securing APIs, said in their report. “Once logged in, the attacker could have performed any action on behalf of the compromised users and gain full visibility into the account, including and all of a user’s personal information. Our research found that attackers could then use the compromised booking.com login to also log into sister company Kayak.com.”