OAuth Flaw Exposed Millions of Airline Users to Account Takeovers

A vulnerability that exposed millions of airline customers to potential account takeovers has highlighted the significant risks organizations face from misconfigured OAuth authentication processes.

The vulnerability in this case involved a major provider of online travel services for hotels and car rentals. Many airlines have integrated this service into their websites, allowing customers to use their airline points to book not just flights, but also hotels and rental cars in one seamless process.

OAuth Implementation Flaw

Researchers at Salt Security, hunting for real-world examples of API supply chain attacks, stumbled upon a vulnerability in the travel company's process for authenticating users looking to access its services after making an initial airline booking. The flaw, which the travel services company has since fixed, basically gave attackers a way to redirect a user's OAuth credentials to a server of their choice.

The credentials would have allowed the attackers to obtain a valid session token from an airline's website and use it to log into the travel company's systems as the victim and book hotels and car rentals using airline loyalty points.

The discovered vulnerability enabled attackers to hijack victim accounts with a single click, Salt Security researcher Amit Elbirt wrote in a blog post this week, without revealing the identity of the travel services company.

While the takeover would have happened within the travel provider's service, it would have given an attacker full access to a victim's stored information on the airline company's site, including personally identifying information, mileage, and rewards data. "This critical risk highlights the vulnerabilities in third-party integrations and the importance of stringent security protocols to protect users from unauthorized account access and manipulation," Elbirt wrote.

OAuth (Open Authentication) is a security protocol that allows users to grant websites or applications access to their information on other sites without sharing their passwords. A familiar example is logging into a website using Google or Facebook (by clicking "Sign in with Google" or "Login with Facebook" links). In the case of the travel services company, OAuth enabled users to login to the company's site using their airline credentials.

As Salt Security explains it, when a user clicks on the login button to access the travel company's site, they are automatically redirected to the requisite airline company's login page for authentication. Once complete, the airline site sends an authorization code back to the travel company site, which initiates a process whereby the travel site receives an access token. The travel site then uses the token to request user data from the airline site.

A Failure to Verify

What Salt Security discovered was a weakness in the travel company's authentication flow that gave them a way to redirect the equivalent of a user's login credentials to their own server. "The specific issue here is that the travel company did not correctly verify that the sensitive authentication credentials were sent to a valid domain," says Yaniv Balmas, vice president of research at Salt Security. "By manipulating this flaw, we could force the travel company to send these credentials to us instead of the airline company, thus allowing us — or or a malicious actor abusing this — to take over the airline user account and perform any actions on their behalf."

To exploit the flaw, an attacker would have sent a malicious link, which would appear to be a valid airline link, via email or text message to users of airline sites integrated with the travel service provider. According to Salt Security, once a user clicks the link and successfully authenticates to an official airline service, the attacker gains full access to the user’s account within the travel system. "From the victim's perspective, it would be almost impossible to understand the link is malicious since it genuinely belongs to the airline, and there is no easy way to understand its malicious nature without an expert-level understanding of OAuth and authentication flows," he says.

Common Issue

The vulnerability with the unnamed travel company is more common that one might assume, Balmas says. In 2023, for instance, Salt Security discovered a similar vulnerability in Booking.com's OAuth implementation process that gave attackers a way to take over user accounts when using their Facebook accounts to log into the hotel reservation site. Another time, researchers from the company found OAuth implementation flaws involving Grammarly, Vidio, and Indonesian e-commerce site Bukalapak that gave attackers potential access to hundreds of millions of user accounts across multiple websites.

"The biggest issue here is that from the airline's perspective, there is absolutely no visibility in case an attack occurs, and in fact, an attack request will look completely identical to a legitimate one," Balmas notes. "This basically means that the third party — the travel company in this case—is the one responsible for the security and safety of its customer users." Often, he adds, there's no certainty that a third party will hold to the same security standards as its customer.