Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/10/2019
05:03 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Majority of Hotel Websites Leak Guest Booking Info

Third parties such as ad, search engine, and analytics firms often have access to guest name, address, phone numbers, credit cards and other data, Symantec says.

Information that people submit when making an online hotel reservation is often available in its entirety to a lot more parties than just the hotel itself.

New research from Symantec shows that a majority of hotels—from small independent properties to large five-star resorts and chains—routinely leak detailed guest booking data with third-party advertisers, social media websites, data aggregators, and other partners.

Guest information available to such parties includes full name, address, mobile phone number, passport number, and the last four digits of credit card numbers.

Candid Wueest, a threat researcher at Symantec tested more than 1,500 hotels in 54 countries to understand the scope of the problem. He discovered more than two-thirds of them—67%—were inadvertently leaking booking reference codes with third-party sites. "The information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether," he said in a report Wednesday.

Nearly six-in-10 (57%) of the sites tested sent a confirmation email to guests after a booking was completed. The emails contained a link that allowed the guest to directly access their reservation details without having to log in to do so.

Since the emails use a static link, the booking reference code and the guest's email are contained in the URL itself. What makes this an issue is the fact that many hotels load additional content, such as advertisements, on the same booking overview page.

Wueest's research showed that some hotels in fact share the booking reference code with as many as 30 different third parties, including social networks, search engines, analytics and advertisement services.

Wueest says his tests show that such third parties generate an average of 176 requests per booking.  A "request" by these third parties can be a resource such as loading an image, a javascript or an iframe, he says. While not all of these requests contain booking details, they do provide an indication of how widely hotels share guest data directly and indirectly.

In many cases, guest booking information remained available on the hotel website and accessible via the email link even after a customer canceled the reservation.

Emails with direct links are not the only problem. Some hotel websites in Wueest's study leaked guest information with online partners during the booking process itself, while others leaked it when customers logged in to their reservation page.

In addition, nearly 30% of the sites did not encrypt the links they send in the email for customers to access reservation information. This gives attackers a way to potentially intercept the link and to view or modify a booking. Such an attack would be feasible in public hotspots such as those in an airport or a hotel.

Privacy and Compliance Risks

For consumers, the key takeaway is that personal information including their full name, home address, email address, credit card details, and passport number might not be kept private when booking hotels, Wueest says.

"The main takeaway here for hotel sites and operators is the fact that this issue exists, despite the [EU General Data Protection Regulation] coming into effect in Europe almost one year ago," he says.

GDPR and other privacy statutes such as the California Consumer Privacy Act prohibit such information sharing without clear, explicit disclosure and consumer consent. Hotels need to take the time to assess their processes and data protections to ensure they are compliant, Wueest notes.

Technically at least hotel websites and operators can detect if any of their trusted partners are using their access to actually view guest reservation information. A hotel for instance could check its web server access log to see if there are many different logins from a single IP, Wueest says. "But it’s doubtful that there are alerts in place to automatically detect this in all hotels," he says.

Hotel operators are not the only ones guilty of such inadvertent data leaks. A report by Wandera earlier this year showed many airline companies are putting passenger data at risk by sending them similarly unencrypted links to check-in for flights. The links give attackers a way to view and change passenger details and to print the boarding passes, Wandera found.

Hotels and booking services need to review their online reservation processes and ensure they are compliant with applicable laws, Wueest says. "Sites should use encrypted links and ensure that no credentials are leaked as URL arguments, for example by using cookies," as permitted by privacy laws, he says. "This is notably a developer issue."

Related Content:

  

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/11/2019 | 8:46:35 AM
Do not trust internet books
I learned painfully that the expense fee of Trivago did not make the grade.  Theft of data does not surprise either, from booking site or hotel site.  So i do not book over the web anymore.  There is a real simple defense against this threat and it is called the TELEPHONE.  Pick up the receiver, put it to ear and dial the hotel number.  Make reservation.  Now you can research rates on the internet so you know when to negotiate but analog technology still works.  Onto more subjects now.

 

Update - thought about it , and while phone works for booking, they still have to maintain data on a system and book credit card when arriving so my thoughts above don't work all so good.  Sorry
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.