Imagine booking a flight, checking in online, and arriving at the airport-only to find that someone else has taken over your account, potentially causing issues like canceling your flight. A recent security flaw was identified in a popular travel service for hotel and car rentals that uses OAuth. This travel service is integrated into many commercial airline websites, allowing users to add hotel bookings to their flight itineraries. This widely used login method has put millions of travelers at risk of account takeovers.
As a reminder, OAuth is an open standard that enables users to log into websites and apps using their third-party accounts, such as Google or Facebook. Its purpose is to simplify the login experience. However, a flaw in the way some airlines implemented OAuth left their systems vulnerable to hackers. This vulnerability could allow cybercriminals to hijack user accounts, access personal information, and even steal loyalty points or sensitive travel details. Fortunately, the issue has been resolved.
For travelers, having an exposed account means more than just inconvenience; it can lead to identity theft, financial loss, or unauthorized access to future flights.
Takeaways:
- Security and convenience live on opposite poles – While social logins like Google or Facebook provide the convenience of a single login to multiple services, the user will always be at the mercy of bad coding practices and unknown vulnerabilities. Use password managers to store all your passwords and create a unique login per site. If that site is compromised, that is one password/place to change it
- Enable Multi-Factor Authentication (MFA) – Make sure at least all your social logins are MFA protected. That will reduce the risk of someone reusing your social account
- Make it count – While the travel site in this story was not disclosed for security purposes, if you are using social login (i.e., Google, Facebook, Microsoft, LinkedIn, etc.) on any travel site, it is wise to reset your password for the social login you used and configure a separate account for the travel site
#ALTACyber
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------