Start your day with intelligence. Get The OODA Daily Pulse.

Home > Briefs > Cyber > API Security Flaw Found in Booking.com Allowed Full Account Takeover

API Security Flaw Found in Booking.com Allowed Full Account Takeover

Salt Security has discovered several flaws that lie in the implementation of the Open Authorization login feature used by the popular online travel agency platform Booking.com. According to Salt Security, the vulnerabilities could affect users logging into the site through their Facebook accounts. Additionally, the flaws could allow for both large scale account takeover and server compromise. While OAuth is designed to provide an effortless user experience and ease when interacting with websites, behind the scenes it is far more complicated and can create security issues.

Although OAuth has become the industry standard and is used by hundreds of thousands of services around the world, misconfigurations can have drastic effects on both companies and customers as they can leave sensitive data exposed. The OAuth sequence on the Booking.com site can be manipulated to hijack sessions and achieve account takeover, Salt Labs stated. The company has reportedly fixed the flaw since Slat Labs disclosed it.

Read More: API Security Flaw Found in Booking.com Allowed Full Account Takeover