Two out of three hotels leak guests’ data to third-party sites

10 Apr 2019

Image: © VTT Studio/Stock.adobe.com

You can check in but your data may be checked out by someone else.

A new investigation by Symantec has revealed that two out of three hotel websites (67pc) leak guests’ booking details and personal data to third-party sites. These sites include advertisers and analytics companies.

The findings are based on an analysis of more than 1,500 hotels in 54 countries spread across five continents.

“While it’s no secret that advertisers are tracking users’ browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether,” said Symantec principal threat researcher Candid Wueest.

“It has been almost a year since the General Data Protection Regulation (GDPR) came into effect in Europe, but many hotels affected by this issue have been very slow to acknowledge, much less address, it.”

Attackers can follow your trail of digital breadcrumbs

Mock-up by Synamtec of the kind of information hackers can access by clicking on email links in reservation emails.

Image: Symantec

Compromised information included everything from guests’ full name and email address, to credit card details and their passport number. Access to this information could allow potential hackers to modify booking details, among other nefarious activities.

Targeted attack groups are increasingly interested in the movements of influential business professionals and government employees, and Symantec recently cited threat activity from espionage groups such as Whitefly.

With this leaked data, hackers have access to powerful information that could allow them to track a target’s movements, identify individuals accompanying a target, know how long a target is staying in a particular place, and even gain physical access to a target’s location, with strong implications for high-profile individuals.

Wueest said that more than half (57pc) of the hotel sites studied send a confirmation email to customers with a direct access link to their booking.

“On its own, this would not be an issue. However, many sites directly load additional content on the same website such as advertisements. This means that direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request. My tests have shown that an average of 176 requests are generated per booking, although not all these requests contain the booking details. This number indicates that the booking data could be shared quite widely.”

He said there are other scenarios in which the booking data may also be leaked.

“Some sites pass on the information during the booking process, while others leak it when the customer manually logs into the website. Others generate an access token, which is then passed in the URL instead of the credentials, which is not good practice either.

“In most cases, I found that the booking data remains visible, even if the reservation has been cancelled, granting an attacker a large window of opportunity to steal personal information.

“Hotel comparison websites and booking engines appear to be slightly more secure. From the five services that I tested, two leaked the credentials and one sent the login link without encryption,” Wueest said.

Another issue he identified was with unencrypted links, whereby 29pc of hotel sites did not encrypt the initial link sent in the email that contained the identity of the user, making it possible for hackers to intercept the credentials of the user who clicks on the HTTP link in the email.

Another issue is brute-forcing by hackers, whereby if the attacker knows the email or the last name of the customer, they can guess that customer’s booking reference number and log in.

“Such an attack might not scale well, but it does work well when an attacker has a specific target in mind or when the target location is known, for example a conference hotel. With some websites, the customer’s email or name is not even needed on the back-end – all that is required is a valid booking reference code. I found multiple examples of these coding mistakes, which would have allowed me to not only access all active reservations for a large hotel chain, but also view every valid flight ticket of an international airline,” Wueest said.

infographic showing how hotels leak data to third parties.

Clink to enlarge. Infographic: Symantec

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com