Cyber Security researchers have clarified the details of the current patched accounts and weakness of the current patched account, affecting popular online travel services for hotels and rental cars.
“By utilizing this defect, the attacker can obtain unauthorized access to the user’s account in the system, perform on behalf of the victim, and to the victim’s loyalty point. API Security Company Salt Labs is a report shared with the API Security Company Salt Labs, such as reservations for hotels and rental cars. 。
He added that the success of the vulnerability could be dangerous for millions of online airlines. Although the name of the company has not been revealed, this service has been integrated into “dozens of commercial airlines online services” and states that users can add hotel reservations to the airline itinerary. Masu.
In short, this drawback is that it is easy to weapon by sending special links that can be propagated through standard distribution channels such as e -mail, text message, and attacker control website. can. Just click the link and the threat actor is enough to hijack the victim’s account as soon as the login process is completed.
The site that integrates rental reservation services has the option to log in to the latter using qualification information associated with airline service providers. At this point, the rental platform generates a link and redirects the user to the airline website to complete the authentication via OAuth.
If the sign -in succeeds, the user will be able to reserve hotels and rental cars using the airline royalty point on a website that complies with the format “SEC”.
The attack method invented by Salt Lab is that by operating the “Tr_returnurl” parameter from the airline site, which contains user session tokens, the authentication response to the site under the control of the attacker is redirected, causing injustice damage. Includes to be able to access the person’s account effectively. How to include personal information.
“Because the operated link uses a legitimate customer domain (when operating only at the parameter level instead of a domain level), attacks through the standard domain inspection or block list/Allowlist method. It will be difficult to detect. “
Salt Labs explains the interaction between services as a highly profitable vector of API supply chain attacks. As a result, the enemy invades the system and steals private customer data, targeting the weak link of the ecosystem.
“Beyond the mere data exposure, the attacker can perform an action on behalf of users, such as creating orders and changing account details,” said ELBIRT. “This serious risk emphasizes the weakness of third -party integration and the importance of strict security protocols to protect users from unauthorized account access and operation.”
Source link
