Cybersecurity researchers have disclosed particulars of a now-patched account takeover vulnerability affecting a preferred on-line journey service for lodge and automotive leases.
“By exploiting this flaw, attackers can gain unauthorized access to any user’s account within the system, effectively allowing them to impersonate the victim and perform an array of actions on their behalf – including booking hotels and car rentals using the victim’s airline loyalty points, canceling or editing booking information, and more,” API safety agency Salt Labs stated in a report shared with The Hacker Information.
Profitable exploitation of the vulnerability might have put hundreds of thousands of on-line airline customers in danger, it added. The identify of the corporate was not disclosed, however it stated the service is built-in into “dozens of commercial airline online services” and allows customers so as to add lodge bookings to their airline itinerary.
The shortcoming, in a nutshell, might be weaponized trivially by sending a specifically crafted hyperlink that may be propagated by way of commonplace distribution channels resembling e-mail, textual content messages, or attacker-controlled web sites. Clicking on the hyperlink is sufficient for the risk actor to hijack management of the sufferer’s account as quickly because the login course of is full.
Websites that combine the rental reserving service have the choice to login to the latter utilizing the credentials related to the airline service supplier, at which level the rental platform generates a hyperlink and redirects the consumer again to the airline’s web site to finish authentication by way of OAuth.
As soon as the sign up is profitable, the customers are directed to an internet site that adheres to the format “<rental-service>.<airlineprovider>.sec,” from the place they’ll use their airline loyalty factors to e-book motels and automotive leases.
The assault methodology devised by Salt Labs includes redirecting the authentication response from the airline website, which incorporates the consumer’s session token, to a website beneath the attacker’s management by manipulating a “tr_returnUrl” parameter, successfully permitting them to entry the sufferer’s account in an unauthorized method, together with their private data.
“Since the manipulated link uses a legitimate customer domain (with manipulation occurring only at the parameter level rather than the domain level), this makes the attack difficult to detect through standard domain inspection or blocklist/allowlist methods,” safety researcher Amit Elbirt stated.
Salt Labs has described service-to-service interactions as a profitable vector for API provide chain assaults, whereby an adversary targets the weaker hyperlink within the ecosystem to interrupt into techniques and steal non-public buyer knowledge.
“Beyond mere data exposure, attackers can perform actions on behalf of the user, such as creating orders or modifying account details,” Elbirt added. “This critical risk highlights the vulnerabilities in third-party integrations and the importance of stringent security protocols to protect users from unauthorized account access and manipulation.”
