Recently, cybersecurity experts identified and disclosed a critical vulnerability in a widely used online travel service, which specializes in hotel and car rentals. This vulnerability, now patched, allowed adversaries to take control of user accounts, posing a significant risk to millions of airline customers.
According to Salt Labs, a firm focused on API security, the flaw enabled attackers to impersonate victims and execute various actions on their behalf. These included accessing sensitive information, making unauthorized bookings using the victim’s airline loyalty points, and altering existing reservations. The specific company affected has not been named, but it integrates its services across numerous commercial airline platforms, facilitating the addition of hotel bookings to travelers’ itineraries.
The vulnerability could be easily exploited through the dissemination of a specially crafted link. This link could be shared via common methods, such as emails or text messages. All it took was for the victim to click on the link, allowing the attacker to seize control of their account immediately upon completing the login process.
The affected service offered users the option to log in using their airline credentials, after which a link would be generated, redirecting users back to the airline’s website to authenticate their identity through OAuth protocols. Following successful login, users were directed to a secured site where they could use their loyalty points for bookings.
Salt Labs revealed that the method of attack involved redirecting the authentication response from the airline site, which included the user’s session token, to a malicious site controlled by the attacker. This was achieved by manipulating the “tr_returnUrl” parameter, enabling unauthorized access to the victim’s account and personal data.
Amit Elbirt, a security researcher at Salt Labs, pointed out the challenges of detecting such an attack. Since the manipulated link utilized a legitimate user domain, the threat could evade traditional domain inspection or blacklist approaches.
Salt Labs emphasized the significance of service-to-service interactions as a prevalent vector for API supply chain attacks. These methods target the vulnerabilities within third-party integrations, compromising user data and enabling actions on their behalf, such as order placements or account modifications.
The potential tactics utilized in this attack align with various techniques identified in the MITRE ATT&CK framework, specifically pertaining to initial access through phishing links, which could also facilitate persistence in system access through compromised credentials.
As the cybersecurity landscape continues to evolve, this incident underscores the critical need for businesses to adopt stringent security measures to safeguard user data and prevent unauthorized account access. Monitoring for risks associated with third-party integrations is essential to maintaining robust security protocols.
