's OAuth Implementation Allows Full Account Takeover

Researchers exploited issues in the authentication protocol to force an open redirection from the popular hotel reservations site when users used Facebook to log in to accounts.

Image shows a hand catching a padlock that's breaking into pieces
Source: sdecoret via Adobe Stock Photo

Flaws in the authorization system of the website could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform,, researchers have found.

Researchers from Salt Security discovered the issues in the platform's implementation of OAuth, an open authorization standard designed to allow cross-application access delegation for different sites to share login credentials, according to a blog post published today. Though it was not specifically designed for this purpose, the protocol has become a standard for allowing websites to read data from Facebook profiles, or log in to a site using Google credentials, for example. Most people are familiar with the "Log in with Facebook"-type options for some online accounts that allow users to sign in without creating a new set of login credentials.

"A security breach [via] OAuth can lead to identity theft, financial fraud, and access to all sorts of personal information including credit card numbers, private messages, health records, and more," Yaniv Balmas, vice president of research at Salt Security, wrote in the post.

Specifically, researchers discovered an open redirection vulnerability in and achieved log in success by accessing the site through the "log in with Facebook" option. They ultimately exploited three security issues and chained them together to gain full account takeover, according to the post.

"Once logged in, the attacker could have performed any action on behalf of the compromised users and gain full visibility into the account, including all of a user's personal information," Balmas wrote.

The issue could have caused a serious data breach for customers of the widely used hotel reservations website, which is part of the Booking Holdings Fortune 500 company and has more than 500 million visitors per month, he said. The site also allows users to rent cars and book taxis.

"An attacker could potentially make unauthorized requests on behalf of a victim, cancel existing reservations, or access sensitive personal information such as booking history, personal preferences, and future reservations," Balmas wrote in the post.

Salt Security disclosed the issues to, which researchers lauded for responding quickly to address and completely mitigate them. Moreover, there had been no evidence of compromise to the platform before the issues were resolved, said in a statement provided by Salt Security.

"On receipt of the report from Salt Security, our teams immediately investigated the findings and established that there had been no compromise to the platform, and the vulnerability was swiftly resolved," the company said. "We take the protection of customer data extremely seriously."

How OAuth Works

To understand how researchers compromised's OAuth implementation, it's important to understand how the standard in a site operates and how the's interpretation of it was flawed.

OAuth comes into play when a user logs in to a website and clicks on the "Log in with Facebook" option that many sites use to allow cross-platform authentication. The site will then open a new window to Facebook and, if it's the user's first time visiting the site, ask for permission to share details with the site. If not, Facebook automatically authenticates the user to the site.

Once the user clicks on a button to, for example, "Continue as Jane," Facebook generates a secret token that is private for the website and associated with the user's Facebook profile. Facebook then uses the token to direct the user to the website, which uses the token to communicate directly with Facebook to get the user's email address. Facebook then approves the address and its association with the user, which the site uses to log in the user successfully.

All of this communication between Facebook and the sites involves various redirections to different URLs, which is where the researchers were able to exploit the implementation of OAuth to steal the token or code of the victim, they said. Bad implementations are not uncommon; indeed, in a breach last May, attackers used OAuth tokens stolen from Salesforce subsidiary Heroku to gain access sensitive customer account data.

Finding Means for Exploit

Knowing this token is where the attacker opportunity lies, the researchers investigated the security of the standard's implementation by causing "unexpected behaviors of the flow" by changing various parameters to see how this would allow them to launch a successful attack, Balmas said. What they found were ways to manipulate the URL redirects that occur in the communication between the two sites to redirect users to URLs controlled by the researchers, thus creating an open redirection bug in

"We created a link that takes over any account on that uses Facebook," Balmas wrote. "The link itself points to a legitimate or domain, which makes it difficult to detect (manually or automatically)."

This method also allowed for account takeover on and affected users signing into from Google, the researchers said.

Wider Cyber-Risk of Poor OAuth Implementations

While researchers only divulged how they used OAuth to compromise in the report, they discovered other sites with risk from improperly applying the authentication protocol, Balmas tells Dark Reading.

"We have observed several other instances of OAuth flaws on popular websites and Web services," he says. "The implications of each issue vary and depends on the bug itself. In our cases, we are talking about full account takeovers across them all. And there are surely many more that are yet to be discovered."

OAuth provides an easy solution to bypass the user login process for site owners, reducing friction for which is a "long and frustrating" problem, Balmas says. However, though it seems simple, implementing the technology successfully and securely is actually very complicated in terms of proper technical implementation, and a single small wrong move can have a huge security impact, he says.

"To put it in other words — it is very easy to put a working social login functionality on a website, but it is very hard to do it correctly," Balmas tells Dark Reading.

Overall, Balmas advises site owners to treat OAuth "as a sensitive part of your service and either build the internal deep knowledge of the field, undergo continuous security testing and reviews to validate your assumptions, or, of course, both." 

He adds, "This is general advice that is relevant for any sensitive path/technology that is part of one's service."

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights