Every two in three hotel websites leak guest booking details, says Symantec threat researcher
Devika Singh April 11, 2019
Planning a dream vacation? Do it well to make sure it doesn't turn out to be a nightmare. Candid Wueest, Principal Threat Researcher at cyber security company Symantec, recently tested multiple websites -- including more than 1,500 hotels in 54 countries -- to determine how many of them could potentially leak the guests' personal data. He found out that about two in three, or 67 per cent, of these sites are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies.
The sites tested by Wueest ranged from two-star hotels in the countryside to luxurious five-star resorts on the beach. "Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations."
Wueest says that some hotel sites he tested are part of larger, well-known hotel chains and hence the research for one hotel applies to other hotels in the chain.
The majority of these sites leaked personal data such as full name, email address, postal address, mobile number, last four digits of credit card, card type, and expiration date and even the passport number.
So what caused these leaks?
According to Wueest's research, more than half (57 per cent) of the hotel sites he tested send a confirmation email to customers with a direct access link to their booking and since the email requires a static link, HTTP POST web requests are not really an option, meaning the booking reference code and the email are passed as arguments in the URL itself. "On its own, this would not be an issue. However, many sites directly load additional content on the same website such as advertisements. This means that direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request," he said.
Wueest said his tests have shown that an average of 176 requests are generated per booking, although not all these requests contain the booking details. This number indicates that the booking data could be shared quite widely.
He also found out that the booking data remains visible even if the reservation has been cancelled, granting an attacker a large window of opportunity to steal personal information.
Hotel comparison websites and booking engines appeared to be slightly more secure in this research. "From the five services that I tested, two leaked the credentials and one sent the login link without encryption."
The data thus revealed could be used by scammers to send convincing personalised spam or carry out other social engineering attacks. They may also sell it in underground markets or use it to commit identity fraud.
The solution to this problem, suggests Wueest, is that the booking sites should use encrypted links (HTTPS) and ensure that no credentials are leaked as URL arguments.