Account takeover attacks possible with vulnerabilities

SiliconAngle reports that Booking Holdings' online travel agency had several critical security flaws within its implementation of the OAuth functionality, which could be leveraged to achieve widespread account takeovers and server breaches. Despite no evidence suggesting the exploitation of OAuth misconfigurations to access customer accounts, such access could have facilitated complete user account control and the compromise of sensitive user data, including personal identifiable information, according to a report from Salt Security's Salt Labs research team. Other Booking Holdings sites, including, have also been impacted by the flaws, which have already been remediated. "OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world. As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors," said Salt Security Vice President of Research Yaniv Balmas.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.