A recent vulnerability discovered in the authentication process of a major provider of online travel services has exposed millions of airline customers to potential account takeovers, shedding light on the risks associated with misconfigured OAuth authentication processes.
The vulnerability, which has since been remedied by the travel services company, allowed attackers to redirect a user’s OAuth credentials to a server of their choice. This flaw could have enabled attackers to obtain a valid session token from an airline’s website and use it to log into the travel company’s systems as the victim, booking hotels and car rentals using the victim’s airline loyalty points. This vulnerability was identified by researchers at Salt Security, who were investigating real-world examples of API supply chain attacks.
Salt Security researcher Amit Elbirt highlighted the severity of the risk posed by this vulnerability, emphasizing the need for stringent security protocols to prevent unauthorized account access and manipulation. The exploit could have granted attackers full access to a victim’s stored information on the airline company’s site, including personally identifying information, mileage, and rewards data.
OAuth (Open Authentication) is a security protocol that allows users to grant websites or applications access to their information on other sites without sharing their passwords. In this case, OAuth enabled users to login to the travel services company’s website using their airline credentials.
The vulnerability stemmed from a failure in the travel company’s authentication flow, which failed to verify that sensitive authentication credentials were being sent to a valid domain. This oversight allowed attackers to manipulate the system and redirect the credentials to their own server, potentially leading to unauthorized account access.
According to Yaniv Balmas, Vice President of Research at Salt Security, similar vulnerabilities in OAuth implementation processes have been identified in other major platforms, such as Booking.com, Grammarly, Vidio, and Bukalapak. These issues highlight the common challenges organizations face in ensuring the security of third-party integrations and the potential risks of account takeovers.
Balmas emphasized that the responsibility for ensuring the security and safety of customer users falls on the third-party service provider, as there is often limited visibility for the airline in detecting and preventing such attacks. Without stringent security standards and protocols in place, users remain vulnerable to account takeovers and unauthorized access.
In light of this incident, organizations must prioritize the implementation of robust security measures to safeguard user data and prevent exploitation of vulnerabilities in authentication processes. By addressing vulnerabilities in OAuth implementations and ensuring thorough verification protocols, companies can mitigate the risks associated with potential account takeovers and protect customer information from unauthorized access.