67% of hotel reservation sites may have room information and personal information leaked to third parties


by

Soumil Kumar

In November 2018, Marriott International , the world's largest hotel chain, announced that up to about 500 million customers had been stolen . While security issues in the hotel industry are a problem, Symantec researchers famous for computer security software Norton said, 'about two-thirds of websites related to hotel reservations contain customer accommodation and personal information. We announced the findings that it may have leaked to the outside. '

Two in Three Hotel Websites Leak Guest Booking Details and Allow Access to Personal Data | Symantec Blogs
https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data

Norton security researcher Candid Wueest has tested more than 1000 hotel reservation websites in 54 countries to investigate security issues on the hotel websites. The sites tested range from two-star hotels in the countryside to five-star luxury resort hotels, and Wueest randomly chooses a spot that he came up with, searches for a hotel that fits that spot, and displays the top websites I checked it.

As a result of the survey, it has become clear that as many as 67% of websites are 'dividing the user's reservation reference code to third parties such as advertisers and data analysis companies'. In addition, a large chain hotel is included in Wueest's survey. It is not uncommon for advertisers to track the user's web page browsing history, but in this case a third party, including the advertiser, is ready to obtain the user's reservation reference code, thus stealing personal information Wueest says it was possible to cancel a hotel reservation.

'Some reservation systems were only good at leaking information such as the number of days they stayed at the hotel, and they were respectable in that they did not leak more private information,' Wueest says sarcasm, and many hotel reservations The site may have leaked personal information such as the guest's full name, email address, address, mobile phone number, last four digits of credit card, card type, credit card expiration date, passport number etc. You


by

Tim Savage

As to why so many booking systems have leaked personal information to third parties, Mr. Wueest pointed out that 'URL links in emails sent to confirm bookings'. And pointed out. In order to enhance customer convenience, many reservation sites can access the reservation site and check the reservation information without logging in, simply by clicking the URL described in the email.

The URL described in this email uses the user's reservation reference code as a static parameter. There is no problem as long as the URL is notified only to the user, but in practice the content of the advertisement and the search engine and other third parties are also loaded, so the user's reservation information can be accessed along with various information. It seems that the URL has been shared.

Wueest believes that the privacy risk from this issue is low if the data is shared only with trusted third parties. However, Wueest points out that public hotspots have the risk that unencrypted URLs will be intercepted by malicious humans.



Also, according to Wueest, the reservation numbers of users who have multiple websites come into effect are easily predictable from their email addresses and user names. Therefore, a malicious person can predict the user's reservation number, enter the reservation number gradually to a certain extent, and can look for the target accommodation information.

Having discovered a vulnerability in the hotel booking site, Wueest reported the findings to the hotel data protection officer. However, it was said that 25% of the responsible people did not reply within 6 weeks, and the days until the answer were on average about 10 days. Many officials reviewed the issue and promised Wueest to investigate and implement the issue.


by

Negative Space

According to a Cyber Security Report published by Norton in 2018 (PDF) , 83% of people are concerned about privacy, but 61% accept to compromise their privacy for convenience It seems there is. Although posting photos to SNS can lead to the identification of an individual's whereabouts, people do not consider the risk deeply, and so does the same for services other than SNS.

The vulnerability of the reservation site discovered this time allows not only the attacker to cancel the user's accommodation reservation as a mere conviction, but also a malicious third party in the industry cancels the user's reservation to reduce the reputation of the competitor. It also makes it possible. Wueest also pointed out that fraudsters may be able to send personalized personalized spam emails by obtaining user accommodation and personal information.



in Web Service,   Security, Posted by log1h_ik