Case #15: Leaked hotel reservations

Information about as many as maybe 1.5 million past, current and future hotel stays were openly accessible on the Internet.

Published: Mon, April 23, 2018, 23:55
Category:
Security
Tags:
Security Monday
Information leak
OWASP 2017 A3
OWASP 2017 A5
OWASP 2017 A10

tl;dr 🔗

The company Ariane had a leak in one of their newsletter software installations causing an exposure of something like 1.5 million hotel reservations with hotel name, reservation number, dates of stay, customer name, customer e-mail address and possibly room number. A number of hotels were affected and the data went for like two years back in time and also included future stays.

Summary 🔗

Who: Ariane (and therefore some of their customers)
Severity level: Medium
Reported: April 2018
Reception and handling: Good
Status: Fixed
Reward: A gift card for 1 night for 2 persons at a Thon hotel (provided by Thon which was the hotel chain I reported the leak to)
Issue: Information leak with personal information related to hotel reservations

Background 🔗

I had a talk at OWASP Norway's meetup in Oslo and therefore stayed the night at Thon Hotel Rosenkrantz Oslo.

I did the reservation online directly with the hotel as it was cheaper than via hotels.com. And because of the direct booking the hotel started sending me different e-mails regarding my stay. Some of those e-mails led me to an unprotected website.

Approach (technical stuff) 🔗

All the e-mails from the hotel had links named "View in browser". The e-mails directly regarding my stay linked to a Microsoft Azure application at some "random" cloudapp.net subdomain.

What hit me first was that the links were served over http and not https. And instead of a nice shorter URL pointing to Thon, it was a long one with a path signaling that site was used for more than my hotel chain. The query parameters contained a big integer as an ID and my e-mail address. So the natural thing to try was to remove the e-mail address from the query parameters. To my surprise I still got my details back.

Then I tried my ID - 1 and got another person's booking. I never download a lot of data as I don't want anyone to question my motives, but I do like to get an idea of the scope of a data leak, so I did a few tests to see if I could see how many bookings this was. My ID was past 2.37 million and the lowest that I saw working was around 865 thousand, so I estimate that more than 1.5 million records were available.

It was possible to traverse the URL path and get to a generator/preview function of a lot of different types of e-mail templates (for check-in details, receipts, room number reminder, etc.) for a long list of hotels.

By changing the templates it was possible to retrieve different information about a booking. E.g. one template would include the room number, while another would include dates and the customer's name and e-mail address. Judging from the e-mails I received it would in some cases be possible to check some people in or out.

Just by doing a google search with the subdomain I got a page that looked like a login page for the whole system. That page was also served over http.

Security issues

One could very easily iterate over - what I estimate to be - 1.5 million bookings and get some or all of the following information:
  • Customer's full name
  • Customer's e-mail address
  • Reservation number
  • Date of arrival
  • Date of departure
  • Hotel name
  • Room number

The bookings seem to range back from 2016 and also include future stays.

Also everything was served over an unencrypted connection so someone could potentially listen in and get the information.

The list of hotels affected by this security vulnerability in Ariane's system is longer, but as I only did a few tests so I only observed these:

Ariane has stated that most affected hotels are in Germany and France (Norwegian link). In the same article they are quoted saying that they cannot be sure that this issue has already been taken advantage of.

Reception and handling

Day zero 🔗

I couldn't immediately see who was responsible for the whole system so in the afternoon I sent an e-mail to Thon Hotels' customer service. I got an automatic response giving me a hint that they would not read that e-mail until the day after, so I also sent them a direct message on Twitter saying that they probably wanted to check out the issue right away.

Just two hours later I got a reply thanking me and saying that the information was past on to the web development department.

Day 5ish 🔗

I tested the URL in question and saw that they had fixed the issue where one could access anyone's booking without also knowing the e-mail address.

Day 7 🔗

I got an e-mail from the chief of security in the group owning the Thon Hotels where he thanked me and asked for my details to send a reward - a gift card which I received just a few days after that.

Media coverage 🔗

For once I did things a bit differently and worked with the media before I published the case here myself. NRKbeta covered the story less than a week ago (Norwegian link only, sorry). NRK is the Norwegian government-owned radio and television public broadcasting company, and the largest media organisation in Norway. They also featured it as as the top story on nrk.no of their front page for some time. I'm happy to see that big media companies like NRK cares about online security and our personal data.

Conclusion 🔗

Is this leak so bad? Most people can handle having their name, e-mail address and reservation stolen or being open on the Internet forever. This is still a pretty bad leak. The number of reservations was pretty big. Maybe someone was already taking advantage of it? It would be possible to regularly check the bookings for public persons or other individuals. It could also be circumstantial evidence for some person being at a certain place at a certain time.

Also, with information like this it would be pretty easy to do some kind of spear phishing - to use the information to target and deceive a hotel customer.

I think we all expect our hotel to keep our personal details safe and secured.

Get notified when there are new posts! :-)