Discovered by Randy Westergren, senior software developer at XDA-Developers, the flaw has likely been present since the app became available in 2011.
The weakness came into play when the app interacted with the Marriott server. The app failed to use any token or authorization protocol to access reservations, meaning any potential attacker could create a script to submit a random sequence of numbers to the server until one matched a Marriott membership number. This would then enable them to access member information which included names, reservation numbers, addresses, contact details and the last four digits of credit cards.
Marriott addressed the flaw on Jan. 21, one day after Westergren reported it to the hotel chain.