Cybersecurity researchers have disclosed details of the vulnerability of the accounting account affecting the popular online travel and cars travel.
“Using this drawback, attackers can gain unauthorized access to any user on the system, which effectively allows them to betray themselves for the victim and perform an array of action on their behalf – including hotel reservations and rental of cars using the loyalty victim’s loyalty, canceling , canceling or editing the booking information and more, “” API “Salt Labs Salt Labs – Note In a report that shared with Hacker News.
Successful exploitation of vulnerability can be subjected to millions of airlines on the Internet by adding. The company’s name was not disclosed, but it states that the service is integrated into “dozens of commercial airlines on the Internet” and allows users to add orders to the hotel to the airline.
The disadvantage, in a nutshell, can be armed trivial by sending a specially designed link that can be distributed through standard distribution channels such as email, text messages or sites controlled by the attacker. By clicking on the link, it is enough for the actor threats to contain control of the victim’s account as soon as the entry process is complete.
Sites that combine rental reservation service have the opportunity to enter the latter using the accounting data related to the airline’s service provider, and at this point the rental platform creates a link and redirects the user back to the airline’s website to complete authentication through OAO.
Once logged in, users are heading for a web -resite that adheres to the format “
The assault method developed by salt laboratories provides for reaction to authentication from the airline’s site, which includes the user session marker on the site under the control of the attacker by manipulating the “Tr_returnurl” parameters, which allows you to effectively access the victim’s account in unauthorized methods their personal information.
“Since the manipulated link uses a legal customer domain (with manipulations only at the parameter level rather than at a domain level), this makes the attack to detect with a standard domain inspection or block/resolution method,” said AMIT Elbirt Research.
Salt Labs described the maintenance and maintenance interaction as a profitable vector for API supplies, in which the enemy focuses on a weaker connection in the ecosystem to break the systems and steal private customer data.
“In addition to the simple impact of data, attackers can perform actions on the username, such as creating orders or changing the account details,” Elbirt added. “This critical risk emphasizes vulnerabilities in other integrations and the importance of harsh security protocols to protect users from unauthorized access and manipulation of accounts.”
