Researchers Uncover Account Takeover Flaw in Popular Travel Booking Service

Cybersecurity researchers have revealed details of a recently patched account takeover vulnerability that affected a widely used online travel booking service for hotels and car rentals.

According to a report from API security firm Salt Labs, attackers could have exploited the flaw to gain unauthorized access to user accounts, impersonate victims, and perform various actions—such as booking accommodations and rental cars using airline loyalty points, modifying reservations, or even canceling them. The report, shared with The Hacker News, warns that millions of airline customers may have been at risk.

While the company’s name remains undisclosed, researchers confirmed that the service is embedded in multiple commercial airline platforms, allowing travelers to add hotel reservations to their flight itineraries.

How the Attack Worked

The vulnerability could be leveraged by sending a specially crafted link via common distribution channels such as email, text messages, or compromised websites. Clicking the link would enable an attacker to take control of the victim’s account once they completed the login process.

The affected booking service allows users to sign in using their airline account credentials. After authentication via OAuth, the system redirects users to a webpage following the structure <rental-service>.<airlineprovider>.sec, where they can redeem airline loyalty points for hotel stays and car rentals.

Salt Labs discovered that by manipulating a parameter called "tr_returnUrl", an attacker could redirect the authentication response—including the victim's session token—to a malicious site. This would grant the attacker unauthorized access to the user's account and personal data.

The Risks of Third-Party Integrations

Amit Elbirt, a security researcher at Salt Labs, emphasized that the attack was particularly difficult to detect since the manipulated link used a legitimate customer domain. Standard security measures such as domain inspections or allowlists/blocklists would likely fail to flag the attack.

This vulnerability highlights the risks associated with service-to-service integrations, a growing concern in API security. Attackers often target the weakest link in a digital ecosystem to gain access to sensitive data or manipulate user accounts.

"Beyond simple data theft, adversaries can exploit these vulnerabilities to place fraudulent orders, modify account settings, and compromise personal details," Elbirt warned. "This underscores the need for stringent security protocols to protect users from unauthorized access and manipulation in third-party integrations."

With the vulnerability now patched, organizations relying on external booking services should review their API security measures to prevent similar threats in the future.