Salt Labs has discovered an account takeover vulnerability in a widely used online travel service that facilitates hotel and car rental bookings. This service is integrated into a slew of commercial airline platforms, allowing users to seamlessly add accommodations to their airline itineraries.
By exploiting this flaw, malicious actors could gain unauthorized access to any user account within the system, enabling them to impersonate victims and carry out various actions on their behalf. This includes booking hotels and rental cars using the victim’s airline loyalty points, modifying or canceling reservations, and more.
The vulnerability could be triggered through a malicious link that bypasses the travel service’s security checks. Malefactors could distribute this link via email, text messages, or attacker-controlled websites to deceive users. Once the link is clicked and the victim successfully authenticates with the airline service, the attacker gains full access to the user’s travel account.
This security flaw potentially exposed millions of airline customers to risk. However, following Salt Labs’ research and coordinated disclosure, the online travel service has identified, verified, and remediated the issue, ensuring that the vulnerability has been fully mitigated.
Convenience Over Security
This vulnerability shows a growing and recurring issue in API security—convenience often takes priority over security, says Akhil Mittal, Senior Manager at Black Duck. “Travel platforms are built to provide seamless user experiences, but that ease of use can create blind spots. Here, attackers didn’t use sophisticated techniques; they exploited weak validation processes and a failure to manage trust between integrated systems.”
What stands out for Mittal is the lack of granular access controls and proper token validation. “These are basics in API security, but they’re often overlooked in favor of faster integrations or simpler designs. Organizations need to step back and ask: Are we truly enforcing strong authentication at every step? Are we watching for unusual behaviors, like spikes in link activity or unexpected account access? And are we taking the time to understand the risks our third-party partners might bring into the mix?”
This isn’t just about fixing a technical issue or patching vulnerabilities, Mittal stresses. “When systems are interconnected, the risks don’t just add up; they multiply. One flaw in an API can quickly spread, putting millions of users at risk. That’s why APIs need smarter security, like dynamic trust validation, validate behavior, and detect anomalies in real-time to prevent exploitation.”
Open Redirects have been a known weakness for over a decade and are relatively easy to address, says John Bambenek, President at Bambenek Consulting. “This shows that there is a degree of complacency in this industry, thinking that the sensitivity of the information is low. While perhaps that was true when these systems were created, with the proliferation of award points that have actual value, it’s time to ensure the basics of web security are put in place.”
Expertise, Planning, and Time
Securing APIs becomes more and more challenging when integrating with third-party services, adds Ray Kelly, Fellow at Black Duck. “Managing the sharing of authentication tokens, navigating complex chained API flows, and enforcing proper authorization on API calls can be daunting, particularly for large organizations.”
Kelly believes that strengthening the software supply chain in these ecosystems will take expertise, thorough planning, and time to address vulnerabilities effectively to help mitigate risks before deploying to production. “As a general rule, users should avoid clicking links in unsolicited SMS or email messages, as doing so can lead to account theft, as demonstrated in this scenario.”
The Way Forward
As businesses depend more and more on APIs, security needs to move to the top of the priority list. Robust threat detection, regular API audits, and adopting zero-trust principles can all help mitigate risks. With API attacks expected to rise further, organizations that fail to act could find themselves at the center of the next major breach.
For businesses looking to secure their API ecosystems, the message is clear: proactive measures are no longer optional—they are essential.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.