OAuth Redirect Flaw in Airline Travel Integration Exposes Millions to Account Hijacking
Summary:
Salt Labs researchers have uncovered details of a now-patched account takeover vulnerability affecting a popular online travel service used for booking hotels and car rentals. The flaw allowed attackers to gain unauthorized access to user accounts, impersonate victims, and perform various actions, including booking hotels or car rentals using airline loyalty points, canceling or editing reservations, and accessing personal information. Although the company’s name was not disclosed, the service is integrated with numerous commercial airline websites, enabling users to add hotel bookings directly to their airline itineraries.
The vulnerability could be exploited by sending a specially crafted link through email, text messages, or attacker-controlled websites. Once clicked, the link redirected the victim to a manipulated authentication flow. The attack leveraged the OAuth process used for logging into the travel service via airline credentials. During authentication, the rental platform generated a session token and redirected users back to the airline's domain. However, attackers manipulated the "tr_returnUrl" parameter to redirect this token to a site under their control, enabling full account access without the victim's knowledge.
Security Officer Comments:
What made this attack particularly dangerous was its reliance on legitimate customer domains. Since the manipulation occurred at the parameter level rather than the domain level, it bypassed traditional security measures such as domain inspections or blocklists. This sophistication made detection challenging and significantly increased the risk for millions of users. The researchers, from API security firm Salt Labs, identified this vulnerability as an example of the growing risk posed by API supply chain attacks. Such attacks exploit weak links in interconnected services to gain unauthorized access, steal sensitive data, and execute malicious actions on behalf of users. Beyond data theft, attackers could create fraudulent orders, modify account details, and disrupt user services.
Suggested Corrections:
Service Users
As a user of online services, it is always advisable to use caution when receiving links from untrusted sources, even if the links may appear utterly legitimate at first glance, and even if they lead to legitimate and trusted websites.
Service Consumers
If your service is consuming or using a third-party service, you should pay special attention to the integration point between these services as well as to the trust relationship between the services and verify that everything meets your desired security standards and that the information shared between the services is mandatory.
It is also advisable to perform extra security checks, as well as penetration testing methodologies depending on the type and sensitivity of the relationship between the services.
Service Producers
As a service producer, it is super important to make sure your service and its integration points are well secure. Special attention should be put into the design and implementation steps to ensure security standards are met and correctly implemented. Additionally, it is recommended to consider using a third-party vendor that will be able to automatically identify any existing posture gaps, and anomalous traffic as it occurs to support a more robust layered defense approach.
Link(s):
https://thehackernews.com/2025/01/oauth-redirect-flaw-in-airline-travel.html
Salt Labs researchers have uncovered details of a now-patched account takeover vulnerability affecting a popular online travel service used for booking hotels and car rentals. The flaw allowed attackers to gain unauthorized access to user accounts, impersonate victims, and perform various actions, including booking hotels or car rentals using airline loyalty points, canceling or editing reservations, and accessing personal information. Although the company’s name was not disclosed, the service is integrated with numerous commercial airline websites, enabling users to add hotel bookings directly to their airline itineraries.
The vulnerability could be exploited by sending a specially crafted link through email, text messages, or attacker-controlled websites. Once clicked, the link redirected the victim to a manipulated authentication flow. The attack leveraged the OAuth process used for logging into the travel service via airline credentials. During authentication, the rental platform generated a session token and redirected users back to the airline's domain. However, attackers manipulated the "tr_returnUrl" parameter to redirect this token to a site under their control, enabling full account access without the victim's knowledge.
Security Officer Comments:
What made this attack particularly dangerous was its reliance on legitimate customer domains. Since the manipulation occurred at the parameter level rather than the domain level, it bypassed traditional security measures such as domain inspections or blocklists. This sophistication made detection challenging and significantly increased the risk for millions of users. The researchers, from API security firm Salt Labs, identified this vulnerability as an example of the growing risk posed by API supply chain attacks. Such attacks exploit weak links in interconnected services to gain unauthorized access, steal sensitive data, and execute malicious actions on behalf of users. Beyond data theft, attackers could create fraudulent orders, modify account details, and disrupt user services.
Suggested Corrections:
Service Users
As a user of online services, it is always advisable to use caution when receiving links from untrusted sources, even if the links may appear utterly legitimate at first glance, and even if they lead to legitimate and trusted websites.
Service Consumers
If your service is consuming or using a third-party service, you should pay special attention to the integration point between these services as well as to the trust relationship between the services and verify that everything meets your desired security standards and that the information shared between the services is mandatory.
It is also advisable to perform extra security checks, as well as penetration testing methodologies depending on the type and sensitivity of the relationship between the services.
Service Producers
As a service producer, it is super important to make sure your service and its integration points are well secure. Special attention should be put into the design and implementation steps to ensure security standards are met and correctly implemented. Additionally, it is recommended to consider using a third-party vendor that will be able to automatically identify any existing posture gaps, and anomalous traffic as it occurs to support a more robust layered defense approach.
Link(s):
https://thehackernews.com/2025/01/oauth-redirect-flaw-in-airline-travel.html