By David DeMoss
It’s no secret that hotels are a big target when it comes to cyberattacks — their database holds a plethora of guest information like phone numbers, credit card information, addresses, and passport numbers. A major issue that hotels are currently facing is in regard to their confirmation emails. Many hotel websites don’t require authentication to see booking details, meaning that anyone can access that information; about one-third of the pages have the booking number in the URL itself! In addition, these websites have advertisers and third-party analytics tools embedded on the page, who are also receiving the URL, making guests’ information even more vulnerable to attacks. To combat this issue, it’s recommended that hotels stop putting the booking information in the URL and start implementing more authentication measures on the confirmation pages. More details from Angela Lang, below.
When your hotel automatically emails you your booking information, there’s a good chance that you’re not the only person with access to those documents.
Symantec, a security company, found flaws on hundreds of hotel websites, which were leaking sensitive information like names, phone numbers, passport numbers and addresses in confirmation emails.
Candid Wueest, a threat researcher at Symantec, said he looked at more than 1,500 hotel websites in 54 countries and found the issues among two-thirds of them.
Hotels are a primary target for cyberattacks, as they hold treasure troves of data on guests during vacation season. They are frequently hacked, as cyberattacks on Sheraton, Westin, Starwood, Marriott and Wyndham hotels over the last few years show. Last November, Marriott disclosed that hackers had stolen records from up to 383 million guests in one of the largest personal data breaches in history.
Hotels have a hotbed of data, and their websites have been leaking out that information, Wueest said. One major issue stems from the URL that they send to guests in emails. About 850 hotel websites don’t require authentication to see those details, allowing anyone with the link to view your personal information. Nearly one-third of those pages have the booking number in the URL itself, Wueest found.
If the guest were the only person who could view that URL, it wouldn’t be much of an issue, but these websites have advertisers and third-party analytics tools embedded on the pages.
Those third parties get that URL too, and a potential attacker could gather that information for malicious purposes, researchers found. Wueest said he found a Google Analytics request for a hotel booking confirmation page contained a URL with the reservation number in plain sight.
All an attacker would have to do with that is enter the reservation number and find out all the sensitive information tied to it.
Several hotel websites were also found to be vulnerable to brute forcing — when an attacker guesses every possible combination for a reservation number. With computer advances, today a machine can guess every possible combination of an eight-character password in less than three hours. To prevent this, websites will usually limit the number of guesses someone can make.
With one hotel website, Wueest said he was able to brute force his way in and view every active reservation for the company.
He said he reached out to all the hotels with these security issues and one-fourth of them ignored his warnings for more than six weeks. Wueest recommended that hotels stop including booking information in the URL and start implementing authentication measures on confirmation pages.