Salt Labs recently uncovered a critical account takeover vulnerability in a popular online travel service that assists users in booking hotels and car rentals. This service is integrated with various commercial airline platforms, allowing users to seamlessly add accommodations to their airline itineraries.
The vulnerability, if exploited, could allow malicious actors to gain unauthorized access to user accounts within the system. This access would enable attackers to impersonate victims and conduct various actions on their behalf, such as booking hotels and rental cars using the victim’s airline loyalty points, altering or canceling reservations, and more.
The flaw could be triggered through a malicious link that bypasses the travel service’s security measures. Attackers could distribute this link through email, text messages, or attacker-controlled websites to deceive users. Once the victim clicks on the link and successfully authenticates with the airline service, the attacker would have full access to the user’s travel account.
This security vulnerability put millions of airline customers at risk, highlighting a concerning trend in API security where convenience often takes precedence over security. Akhil Mittal, Senior Manager at Black Duck, pointed out that travel platforms aim to provide user-friendly experiences, but this can create blind spots for attackers. Mittal emphasized the importance of implementing granular access controls, proper token validation, and strong authentication measures in API security to prevent such vulnerabilities.
John Bambenek, President at Bambenek Consulting, mentioned that open redirects have been a known weakness for over a decade and should not be overlooked, especially with the increasing value of airline loyalty points. He emphasized the need for basic web security practices to be in place to protect user accounts.
Ray Kelly, Fellow at Black Duck, highlighted the challenges of securing APIs when integrating with third-party services. He emphasized the importance of expertise, thorough planning, and time to address vulnerabilities effectively and mitigate risks before deploying to production. Kelly also advised users to avoid clicking on links in unsolicited messages to reduce the risk of account theft.
As businesses continue to rely on APIs, ensuring the security of these ecosystems must become a top priority. Robust threat detection, regular API audits, and adopting zero-trust principles can all contribute to mitigating risks. Organizations that neglect API security could face severe consequences in the form of potential breaches.
In conclusion, proactive measures are no longer optional but essential for businesses looking to secure their API ecosystems. With the expected increase in API attacks, organizations must prioritize security to avoid becoming the next target of malicious actors.