
A significant security flaw in a widely-used online travel service for hotel and car rentals has been discovered and patched, according to cybersecurity researchers at Salt Labs. The vulnerability potentially affected millions of users across multiple commercial airline platforms.
The security flaw allowed attackers to gain unauthorized access to user accounts through a sophisticated account takeover technique. Once compromised, attackers could:
– Book hotels and car rentals using victims’ airline loyalty points
– Modify or cancel existing bookings
– Access personal information
– Perform various account actions on behalf of the victim
The attack vector involved a simple yet effective method:
1. Creating a specially crafted link
2. Distributing it through common channels (email, SMS, websites)
3. Exploiting the OAuth authentication process between the rental service and airline platforms
4. Intercepting user session tokens by manipulating the “tr_returnUrl” parameter
The vulnerability was particularly concerning as it targeted the service-to-service API interactions, making it difficult to detect through standard security measures. The affected service, which remains unnamed, is integrated into numerous commercial airline online platforms and allows users to add hotel bookings to their airline itineraries.
The discovery highlights the critical importance of securing third-party integrations and API supply chain connections in travel service ecosystems. The vulnerability has since been addressed, protecting users from unauthorized access and account manipulation.