OAuth security gaps at Booking.com

Implementation flaws would have allowed account takeover (now remediated)

This short video explains how Salt Labs researchers identified several critical security flaws on the popular travel site Booking.com. 

The flaws were found in the site's authentication functionality and could have allowed a malicious attacker to take over user accounts, access profile information, and take actions on behalf of the user such as booking or canceling reservations and ordering transportation services.

All issues were reported to Booking.com and have been resolved with no evidence of these flaws being actively exploited in the wild. For a more detailed analysis, please check out our blog post.

Related resources