Vulnerability Exposes Millions of Airline Customers to Potential Account Takeovers

A recent vulnerability has highlighted the significant risks organizations face from misconfigured OAuth authentication processes. This vulnerability exposed millions of airline customers to potential account takeovers, emphasizing the need for organizations to prioritize security and implement robust authentication measures.

The Vulnerability

The vulnerability in question involved a major provider of online travel services for hotels and car rentals. Many airlines have integrated this service into their websites, allowing customers to use their airline points to book not just flights, but also hotels and rental cars in one seamless process. Researchers at Salt Security discovered this vulnerability while hunting for real-world examples of API supply chain attacks.

Real-World Examples of OAuth Implementation Flaws

Researchers from Salt Security found OAuth implementation flaws involving Grammarly, Vidio, and Indonesian e-commerce site Bukalapak. These flaws gave attackers potential access to hundreds of millions of user accounts across multiple websites. Similarly, researchers from another company found OAuth implementation flaws involving a travel company, which exposed millions of airline customers to potential account takeovers.

The Risks of Misconfigured OAuth Authentication

The biggest issue here is that from the airline’s perspective, there is absolutely no visibility in case an attack occurs, and in fact, an attack request will look completely identical to a legitimate one. This basically means that the third party — the travel company in this case—is the one responsible for the security and safety of its customer users. Often, there’s no certainty that a third party will hold to the same security standards as its customer.

Conclusion

The recent vulnerability highlights the significant risks organizations face from misconfigured OAuth authentication processes. It is essential for organizations to prioritize security and implement robust authentication measures to protect their customers’ sensitive information.