OAuth Redirect Flaw in Airline Travel Integration Exposes Millions to Account Hijacking

Cybersecurity researchers have disclosed details of a now-patched account takeover vulnerability affecting a popular online travel service for hotel and car rentals. "By exploiting this flaw, attackers can gain unauthorized access to any user’s account within the system, effectively allowing them to impersonate the victim and perform an array of actions on their behalf – including booking hotels and car rentals using the victim's airline loyalty points, canceling or editing booking information, and more," API security firm Salt Labs said in a report shared with The Hacker News. Successful exploitation of the vulnerability could have put millions of online airline users at risk, it added. The name of the company was not disclosed, but it said the service is integrated into "dozens of commercial airline online services" and enables users to add hotel bookings to their airline itinerary. The shortcoming, in a nutshell, can be weaponized trivially by sending a specially crafted link that can be propagated via standard distribution channels such as email, text messages, or attacker-controlled websites. Clicking on the link is enough for the threat actor to hijack control of the victim's account as soon as the login process is complete. Sites that integrate the rental booking service have the option to login to the latter using the credentials associated with the airline service provider, at which point the rental platform generates a link and redirects the user back to the…Read More