Jan 28, 2025Ravie Lakshmanan
A well-known virtual go assistance for hotel and car rentals has been exposed by cybersecurity researchers in details of a recently discovered account takeover vulnerability.
In a statement released to The Hacker News, API security company Salt Labs claimed that by exploiting this weakness, attackers can gain unauthorized access to any patient’s accounts within the system, which in turn allows them to impersonate the victim and carry out a variety of actions on their behalf, including canceling or enhancing booking information, and more.
Millions of online airport users might have been in danger if they had been successful in exploiting the vulnerability, it added. Although the company’s name was not made public, it claimed that the company is integrated into “dozens of commercial airline virtual services” and that it enables users to add hotel reservations to their airline stay.
The failing, in a nutshell, you be weaponized transparently by sending a specially crafted website that can be propagated via regular distribution channels such as email, text messages, or attacker-controlled websites. The threat actor can access the victim’s account as soon as they log in by simply clicking on the link.
Sites that integrate the rental booking service have the option of logging into the latter using the credentials provided by the airline service provider, after which the rental platform creates a link and redirects the user to the airline’s website to complete authentication.
Once the sign in is successful, the users are directed to a website that adheres to the format” <, rental-service>,. <, airlineprovider>,. Sec is a website where travelers can book hotels and car rentals using their airline loyalty points.
The attack method devised by Salt Labs involves redirecting the authentication response from the airline site, which includes the user’s session token, to a site under the attacker’s control by manipulating a” tr_returnUrl” parameter, effectively allowing them to access the victim’s account in an unauthorized manner, including their personal information.
Security researcher Amit Elbirt said that because the manipulated link uses a legitimate customer domain, the attack is difficult to detect using standard domain inspection or blocklist or allowlist techniques because the manipulation only occurs at the parameter level rather than the domain level.
Salt Labs has described service-to-service interactions as a lucrative vector for API supply chain attacks, wherein an attacker attacks the weaker link in the ecosystem to break into systems and spoof private customer data.
” Beyond mere data exposure, attackers can perform actions on behalf of the user, such as creating orders or modifying account details”, Elbirt added. This significant risk highlights the vulnerabilities in third-party integrations and the importance of stringent security measures to safeguard users from unauthorized account access and manipulation.
Found this article interesting? Follow us on and Twitter to access more exclusive content.