Vulnerabilities / Threats

4/10/2019
05:03 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Majority of Hotel Websites Leak Guest Booking Info

Third parties such as ad, search engine, and analytics firms often have access to guest name, address, phone numbers, credit cards and other data, Symantec says.

Information that people submit when making an online hotel reservation is often available in its entirety to a lot more parties than just the hotel itself.

New research from Symantec shows that a majority of hotels—from small independent properties to large five-star resorts and chains—routinely leak detailed guest booking data with third-party advertisers, social media websites, data aggregators, and other partners.

Guest information available to such parties includes full name, address, mobile phone number, passport number, and the last four digits of credit card numbers.

Candid Wueest, a threat researcher at Symantec tested more than 1,500 hotels in 54 countries to understand the scope of the problem. He discovered more than two-thirds of them—67%—were inadvertently leaking booking reference codes with third-party sites. "The information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether," he said in a report Wednesday.

Nearly six-in-10 (57%) of the sites tested sent a confirmation email to guests after a booking was completed. The emails contained a link that allowed the guest to directly access their reservation details without having to log in to do so.

Since the emails use a static link, the booking reference code and the guest's email are contained in the URL itself. What makes this an issue is the fact that many hotels load additional content, such as advertisements, on the same booking overview page.

Wueest's research showed that some hotels in fact share the booking reference code with as many as 30 different third parties, including social networks, search engines, analytics and advertisement services.

Wueest says his tests show that such third parties generate an average of 176 requests per booking.  A "request" by these third parties can be a resource such as loading an image, a javascript or an iframe, he says. While not all of these requests contain booking details, they do provide an indication of how widely hotels share guest data directly and indirectly.

In many cases, guest booking information remained available on the hotel website and accessible via the email link even after a customer canceled the reservation.

Emails with direct links are not the only problem. Some hotel websites in Wueest's study leaked guest information with online partners during the booking process itself, while others leaked it when customers logged in to their reservation page.

In addition, nearly 30% of the sites did not encrypt the links they send in the email for customers to access reservation information. This gives attackers a way to potentially intercept the link and to view or modify a booking. Such an attack would be feasible in public hotspots such as those in an airport or a hotel.

Privacy and Compliance Risks

For consumers, the key takeaway is that personal information including their full name, home address, email address, credit card details, and passport number might not be kept private when booking hotels, Wueest says.

"The main takeaway here for hotel sites and operators is the fact that this issue exists, despite the [EU General Data Protection Regulation] coming into effect in Europe almost one year ago," he says.

GDPR and other privacy statutes such as the California Consumer Privacy Act prohibit such information sharing without clear, explicit disclosure and consumer consent. Hotels need to take the time to assess their processes and data protections to ensure they are compliant, Wueest notes.

Technically at least hotel websites and operators can detect if any of their trusted partners are using their access to actually view guest reservation information. A hotel for instance could check its web server access log to see if there are many different logins from a single IP, Wueest says. "But it’s doubtful that there are alerts in place to automatically detect this in all hotels," he says.

Hotel operators are not the only ones guilty of such inadvertent data leaks. A report by Wandera earlier this year showed many airline companies are putting passenger data at risk by sending them similarly unencrypted links to check-in for flights. The links give attackers a way to view and change passenger details and to print the boarding passes, Wandera found.

Hotels and booking services need to review their online reservation processes and ensure they are compliant with applicable laws, Wueest says. "Sites should use encrypted links and ensure that no credentials are leaked as URL arguments, for example by using cookies," as permitted by privacy laws, he says. "This is notably a developer issue."

Related Content:

  

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/11/2019 | 8:46:35 AM
Do not trust internet books
I learned painfully that the expense fee of Trivago did not make the grade.  Theft of data does not surprise either, from booking site or hotel site.  So i do not book over the web anymore.  There is a real simple defense against this threat and it is called the TELEPHONE.  Pick up the receiver, put it to ear and dial the hotel number.  Make reservation.  Now you can research rates on the internet so you know when to negotiate but analog technology still works.  Onto more subjects now.

 

Update - thought about it , and while phone works for booking, they still have to maintain data on a system and book credit card when arriving so my thoughts above don't work all so good.  Sorry
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.