Travel industry booking websites’ vulnerabilities compromise user’s data

By Alfred Vergara on April 22, 2019

On April 9, 2019 security researcher Candid Wuees disclosed on vulnerabilities that allowed malicious users to compromise customer booking data in the hotel industry. These vulnerabilities affect 2/3 of hotel websites (of a surveyed 1,500) and would allow a malicious user to not only cancel reservations, but view the following:

  • Full name
  • Email address
  • Postal address
  • Mobile phone number
  • Last four digits of credit card, card type, and expiration date
  • Passport number

Vulnerability

The vulnerabilities assessed by Wuees occur in the process a booking website sends reservation confirmation to users. Users may access reservation information from a static uniform resource locator (URL), and does not require credentials to access information. This is true for 57% of hotel sites. 29% of hotel sites do not encrypt this link, which means that a user accessing reservation information from a public Internet connection is susceptible to a sniffing attack. The malicious user after intercepting a reservation link may then access the reservation information of a user, or change reservation details–including canceling a reservation.

From an insider perspective, there are many third parties that have access to a user’s direct reservation information. These third parties include social networks, search engines, advertisers, and analytic services. While sharing of this information in most cases is covered by a hotel’s privacy policy concerning data usage, third-parties may also manage reservation information as if they were the intended user.

Impact

The tourism industry in the United States is a $208 billion industry. There are millions of travelers around the world that utilize hotels for both leisure and business. This vulnerability affects the privacy of customer information, as booking information can easily be obtained by a malicious actor as an insider from a third party, or as a malicious actor sniffing data at a public Internet connection.

There are concerns for privacy policy compliance for hotels in terms of the European Union’s (EU) General Data Protection Regulation (GDPR), which requires organizations that handle sensitive information of EU citizens to have appropriate technical and organizational measures to protect user’s data. When Wuees attempted to contact affected hotels’ data privacy officers(DPO) about security concerns, a fourth of the parties did not respond in 6 weeks. For those that did respond, it took an average of 10 days to respond. Response varied: some parties said they would research the issue, while others insisted that the reservation information is not private data and is trusted within the shared third parties.

At a high level, it is also possible for a malicious actor to carry a campaign against hotels whose reservation URLs are predictable. Among the researched reservation sites, Wuees found that reservation information is organized by an identification number that is stepped by one and which is used in the URL for identification. This would allow a malicious actor to compromise reservations of hundreds of guests to a hotel, or cancel reservations for all of them to attack the hotel financially.

Mitigation

A careful user may want to opt into using a virtual private network (VPN) to access sensitive information when on public Internet access points. For traffic that is passed in plaintext, a VPN would allow a user to have traffic encrypted. Users need to understand that using the services of a website, or reservation site is to assume that the service is trusted. While not every website can guarantee the privacy of information, sometimes you need to assume the risk associated with a service to accomplish a goal, or book a hotel.

Sources

https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data

https://www.securityweek.com/reservation-systems-used-many-hotels-expose-user-data

https://www.wandera.com/mobile-security/airline-check-in-risk/

https://www.statista.com/statistics/245841/total-revenue-of-the-us-hotel-industry/

https://www.bjs.gov/content/pub/press/itrh0510pr.cfm

https://eugdpr.org/

https://computer.howstuffworks.com/vpn.htm

Related Posts