SiliconAngle reports that Booking Holdings' online travel agency Booking.com had several critical security flaws within its implementation of the OAuth functionality, which could be leveraged to achieve widespread account takeovers and server breaches.
Despite no evidence suggesting the exploitation of OAuth misconfigurations to access Booking.com customer accounts, such access could have facilitated complete user account control and the compromise of sensitive user data, including personal identifiable information, according to a report from Salt Security's Salt Labs research team.
Other Booking Holdings sites, including Kayak.com, have also been impacted by the flaws, which have already been remediated.
"OAuth has quickly become the industry standard and is currently in use by hundreds of thousands of services around the world. As a result, misconfigurations of OAuth can have a significant impact on both companies and customers as they leave precious data exposed to bad actors," said Salt Security Vice President of Research Yaniv Balmas.