A study of more than 1,500 hotels in 54 countries found that 67 percent of their websites leak booking reference codes to third-party partners, allowing them to potentially access guests' booking details and personal information.
Such access could even enable the third parties to cancel individuals' reservations if they so desired, according to Symantec Principal Threat Researcher Candid Wueest, who conducted the study and revealed his findings in a company blog post this week.
Wueest says he reached out to the offending hospitality providers to inform them of his discoveries. Despite the possibility that these hotels are violating Europe's GDPR policies, 25 percent of the hotels' data privacy officers did not reply within a six-week response period, Wueest reports. Those that replied reportedly took an average of 10 days to respond – and while some committed to making changes, others contended the shared data wasn't personal or must be shared with ad companies.
It took an average 10 days to respond, most confirmed the inquiry and committed to investigating and implemented changes,, but others said it wasn't personal data and contended such data must be shared with ad companies. In some cases concerned about external services they were using.
During his investigation, Wueest found that third-party entities such as advertisers, analytics companies and social networks and search engines often gain access to hotel guests' names, email addresses, postal addresses, phone numbers, password numbers, booking dates and payment card information including card types, expiration dates, partial card numbers and total amount paid.
According to Wueest, a major contributor to this problem is that 57 of the studied hotel websites send confirmation emails to customers with a direct access link to their booking. The blog post continues: "Since the email requires a static link, HTTP POST web requests are not really an option, meaning the booking reference code and the email are passed as arguments in the URL itself. On its own, this would not be an issue. However, many sites directly load additional content on the same website, such as advertisements. This means that direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request."
Indeed, the Symantec study revealed that an average hotel booking generates 176 requests, although not all contain booking details. Those that do, however, could allow the related third-party service to log into a reservation to view guest details or cancel a reservation.
This practice potentially creates privacy concerns, especially because the hotels' privacy policies generally did not reference such activity, notes Wueest. Additionally, the more a guest's data is exposed and shared with outside entities, the greater the risk such information could be stolen, misused or abused.
"There are other scenarios in which the booking data may also be leaked," Wueest continues. "Some sites pass on the information during the booking process, while others leak it when the customer manually logs into the website. Others generate an access token, which is then passed in the URL instead of the credentials, which is not good practice either." Even after the reservation is cancelled, the booking data often remains visible.
Symantec noticed other issues as well. For instance, 29 percent of sites failed to encrypt the initial link sent in the email containing the ID, which means attackers could intercept the credentials over an unsecured Wi-Fi connection. Additionally some of the websites allowed brute-force and enumeration attacks against the booking reference code. "Such an attack might not scale well, but it does work well when an attacker has a specific target in mind or when the target location is known," Wueest explains.
To address the issue, Symantec recommends that hotel booking sites use encrypted links and avoid leaking credentials as URL arguments.
"Static web links sharing data is an old practice that most websites have moved on from over the last decade Most of the information shared is useful for initial reconnaissance of a person, assuming you know that person is making reservations and wanted to know where they are going," said Chris Morales, head of security analytics at Vectra. The piece of information that bothers me most is the passport number. As a practice I avoid entering my passport into sites, especially when I don’t think it is necessary."