Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/10/2019
05:03 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Majority of Hotel Websites Leak Guest Booking Info

Third parties such as ad, search engine, and analytics firms often have access to guest name, address, phone numbers, credit cards and other data, Symantec says.

Information that people submit when making an online hotel reservation is often available in its entirety to a lot more parties than just the hotel itself.

New research from Symantec shows that a majority of hotels—from small independent properties to large five-star resorts and chains—routinely leak detailed guest booking data with third-party advertisers, social media websites, data aggregators, and other partners.

Guest information available to such parties includes full name, address, mobile phone number, passport number, and the last four digits of credit card numbers.

Candid Wueest, a threat researcher at Symantec tested more than 1,500 hotels in 54 countries to understand the scope of the problem. He discovered more than two-thirds of them—67%—were inadvertently leaking booking reference codes with third-party sites. "The information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether," he said in a report Wednesday.

Nearly six-in-10 (57%) of the sites tested sent a confirmation email to guests after a booking was completed. The emails contained a link that allowed the guest to directly access their reservation details without having to log in to do so.

Since the emails use a static link, the booking reference code and the guest's email are contained in the URL itself. What makes this an issue is the fact that many hotels load additional content, such as advertisements, on the same booking overview page.

Wueest's research showed that some hotels in fact share the booking reference code with as many as 30 different third parties, including social networks, search engines, analytics and advertisement services.

Wueest says his tests show that such third parties generate an average of 176 requests per booking.  A "request" by these third parties can be a resource such as loading an image, a javascript or an iframe, he says. While not all of these requests contain booking details, they do provide an indication of how widely hotels share guest data directly and indirectly.

In many cases, guest booking information remained available on the hotel website and accessible via the email link even after a customer canceled the reservation.

Emails with direct links are not the only problem. Some hotel websites in Wueest's study leaked guest information with online partners during the booking process itself, while others leaked it when customers logged in to their reservation page.

In addition, nearly 30% of the sites did not encrypt the links they send in the email for customers to access reservation information. This gives attackers a way to potentially intercept the link and to view or modify a booking. Such an attack would be feasible in public hotspots such as those in an airport or a hotel.

Privacy and Compliance Risks

For consumers, the key takeaway is that personal information including their full name, home address, email address, credit card details, and passport number might not be kept private when booking hotels, Wueest says.

"The main takeaway here for hotel sites and operators is the fact that this issue exists, despite the [EU General Data Protection Regulation] coming into effect in Europe almost one year ago," he says.

GDPR and other privacy statutes such as the California Consumer Privacy Act prohibit such information sharing without clear, explicit disclosure and consumer consent. Hotels need to take the time to assess their processes and data protections to ensure they are compliant, Wueest notes.

Technically at least hotel websites and operators can detect if any of their trusted partners are using their access to actually view guest reservation information. A hotel for instance could check its web server access log to see if there are many different logins from a single IP, Wueest says. "But it’s doubtful that there are alerts in place to automatically detect this in all hotels," he says.

Hotel operators are not the only ones guilty of such inadvertent data leaks. A report by Wandera earlier this year showed many airline companies are putting passenger data at risk by sending them similarly unencrypted links to check-in for flights. The links give attackers a way to view and change passenger details and to print the boarding passes, Wandera found.

Hotels and booking services need to review their online reservation processes and ensure they are compliant with applicable laws, Wueest says. "Sites should use encrypted links and ensure that no credentials are leaked as URL arguments, for example by using cookies," as permitted by privacy laws, he says. "This is notably a developer issue."

Related Content:

  

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/11/2019 | 8:46:35 AM
Do not trust internet books
I learned painfully that the expense fee of Trivago did not make the grade.  Theft of data does not surprise either, from booking site or hotel site.  So i do not book over the web anymore.  There is a real simple defense against this threat and it is called the TELEPHONE.  Pick up the receiver, put it to ear and dial the hotel number.  Make reservation.  Now you can research rates on the internet so you know when to negotiate but analog technology still works.  Onto more subjects now.

 

Update - thought about it , and while phone works for booking, they still have to maintain data on a system and book credit card when arriving so my thoughts above don't work all so good.  Sorry
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...