Passing booking information as URL arguments allows third parties to intercept booking information for data collection, according to Symantec.
The reservation systems used on hotel websites that allow users to book rooms can potentially leak personal data, according to Symantec researcher Candid Wueest, in a report published Wednesday. Wueest tested multiple websites counting "more than 1,500 hotels in 54 countries," and found that 67% of these sites leak booking reference codes to third-party websites due to the way links are formed to allow users to view or edit their booking.
According to the report, 57% of confirmation emails include a direct access URL to view booking information without requiring authentication, of which 29% use insecure URLs that pass variables inside the URL, in formats similar to the following:
If the hotel website uses external resources, when this page is loaded, referrer data is sent, leaking the full URL to third parties. With this information, malicious actors within those third-party organizations can view reservation details and personal information—including name, address, phone number, passport number, credit card type, expiration, and last four digits of the card number—and even cancel the reservation. This is especially concerning for business travelers, who could have corporate card information stolen along with personal information.
SEE: IT pro's guide to GDPR compliance (free PDF) (TechRepublic)
The report further notes that this data remains visible even if the reservation is cancelled. Interestingly, third-party hotel search engines "appear to be slightly more secure," with only two of the five websites tested leaking credentials, and one sending a login link without encryption. Worryingly, the report also indicates that the booking number is simply incremented by one for each reservation, making it possible to brute force access if the email address is known, a problem which Wueest claims is widespread.
It is unclear how many individual websites this actually affects—due to consolidation in the hospitality industry, hotel chains operate a variety of websites for individual hotels or brands that share a common backend. Wueest notes that due to this, "my research for one hotel applies to other hotels in the chain," though does not provide specifics on the number of individual websites tested.
Given the widespread nature of this issue, protecting your personal information from poor handling practices of third parties is challenging. If your credit card offers disposable, one-time-use numbers, taking advantage of that service may be of some help to safeguarding your financial information.
For more on security, check out "Businesses beware: Spearphishing attacks aim to change payroll direct deposits" and "Employee mistakes and system errors are a larger threat to data security than hackers or insiders."
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)