Cybersecurity researchers have disclosed particulars of a now-patched account takeover vulnerability affecting a well-liked on-line journey service for resort and automotive leases.
“By exploiting this flaw, attackers can achieve unauthorized entry to any person’s account inside the system, successfully permitting them to impersonate the sufferer and carry out an array of actions on their behalf – together with reserving resorts and automotive leases utilizing the sufferer’s airline loyalty factors, canceling or modifying reserving info, and extra,” API safety agency Salt Labs mentioned in a report shared with The Hacker Information.
Profitable exploitation of the vulnerability may have put thousands and thousands of on-line airline customers in danger, it added. The identify of the corporate was not disclosed, however it mentioned the service is built-in into “dozens of business airline on-line providers” and permits customers so as to add resort bookings to their airline itinerary.
The shortcoming, in a nutshell, will be weaponized trivially by sending a specifically crafted hyperlink that may be propagated by way of customary distribution channels comparable to electronic mail, textual content messages, or attacker-controlled web sites. Clicking on the hyperlink is sufficient for the menace actor to hijack management of the sufferer’s account as quickly because the login course of is full.
Websites that combine the rental reserving service have the choice to login to the latter utilizing the credentials related to the airline service supplier, at which level the rental platform generates a hyperlink and redirects the person again to the airline’s web site to finish authentication by way of OAuth.
As soon as the sign up is profitable, the customers are directed to a web site that adheres to the format “<rental-service>.<airlineprovider>.sec,” from the place they’ll use their airline loyalty factors to e-book resorts and automotive leases.
The assault methodology devised by Salt Labs entails redirecting the authentication response from the airline website, which incorporates the person’s session token, to a website beneath the attacker’s management by manipulating a “tr_returnUrl” parameter, successfully permitting them to entry the sufferer’s account in an unauthorized method, together with their private info.
“For the reason that manipulated hyperlink makes use of a official buyer area (with manipulation occurring solely on the parameter degree quite than the area degree), this makes the assault tough to detect by customary area inspection or blocklist/allowlist strategies,” safety researcher Amit Elbirt mentioned.
Salt Labs has described service-to-service interactions as a profitable vector for API provide chain assaults, whereby an adversary targets the weaker hyperlink within the ecosystem to interrupt into techniques and steal non-public buyer knowledge.
“Past mere knowledge publicity, attackers can carry out actions on behalf of the person, comparable to creating orders or modifying account particulars,” Elbirt added. “This vital danger highlights the vulnerabilities in third-party integrations and the significance of stringent safety protocols to guard customers from unauthorized account entry and manipulation.”
