Leaky hotels. Symantec study finds 67 percent of hotels worldwide leak guests’ personal information
Indeed, the leaks of booking details are so bad that attackers could potentially view a customer’s personal data or even cancel their hotel reservations altogether.
But now Symantec has reviewed more than 1,500 hotel websites spread across 54 different countries, and it concluded that a staggering two out of three (67 percent) hotel websites inadvertently leak guests’ booking details and personal data to third-party sites, such as advertisers and analytics firms.
Symantec warned that compromised personal data can include full names, postal address, mobile number, email addresses, credit card details (last four digits only) and passport numbers.
This data of course is a potential goldmine for cybercriminals.
“While researching possible formjacking attacks on hotel websites recently, I stumbled across a separate issue that could potentially leak my and other guests’ personal data,” blogged Candid Wueest, principal threat researcher at Symantec. “I tested multiple websites – including more than 1,500 hotels in 54 countries – to determine how common this privacy issue is.”
“While it’s no secret that advertisers are tracking users’ browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether,” Wueest warned.
The hotels in question include both luxurious five-star resorts and hotels at the cheaper end of the scale. Hotels in the US, the UK and Europe are said to be affected, despite the risks for them associated with the General Data Protection Regulation (GDPR) which came into effect in Europe last year.
So what exactly is the problem? Well it seems that the main issue surrounds the actual booking confirmation email, as many of these emails contain an active link that directs to a separate website where guests can access their reservation without having to log in again.
Unfortunately, the booking code and the guest email address are often in the URL itself, which normally isn’t a big issue.
An example would be: https://booking.the-hotel.tld/retrieve.php?prn=1234567&mail=john_smith@myMail.tld
“On its own, this would not be an issue,” wrote Wueest. “However, many sites directly load additional content on the same website, such as advertisements. This means that direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request. My tests have shown that an average of 176 requests are generated per booking, although not all these requests contain the booking details. This number indicates that the booking data could be shared quite widely.”
And worryingly Symantec found that more than one-quarter (29 percent) of the hotel sites did not encrypt the initial link sent in the email that contained the ID.
“Booking sites should use encrypted links (HTTPS) and ensure that no credentials are leaked as URL arguments,” Wueest advised.
“Customers can check if links are encrypted or if personal data, such as their email address, is passed as visible data in the URL,” he added. “They can also use VPN services to minimize their exposure on public hotspots. Unfortunately, for the average hotel guest, spotting such leaks may not be an easy task, and they may not have much choice if they want to book a specific hotel.”
Security experts warned hotels that they have to do a much better job of protecting consumer data in the age of GDPR.
“Consumers should feel safe and secure when they hand over their personal information into a business’s website,” explained Tim Dunton, MD at Nimbus Hosting.
“Unfortunately, it is becoming increasingly apparent that some websites lack the basic security measures required to prevent such information from being exploited by cyber criminals,” said Dunton. “In the age of GDPR, and at a time when consumerism exists almost entirely online, exploitable websites and a lack of basic cyber security measures is simply not acceptable.”
“Moving forward, it is essential that all businesses begin to understand the full implications of not protecting their customer’s data, and start taking proactive measures to ensure hackers cannot access sensitive information by exploiting outdated websites and unregulated IT systems,” he added.
Another expert pointed out that the issue was a design problem, despite the seriousness of the issue.
“It turns out all those emails and website banners were the easy part of GDPR compliance,” said Tim Erlin, VP, product management and strategy at Tripwire. “This type of data leakage is fundamentally a design problem, which shouldn’t detract from the severity of the issue.”
“With the right training and threat modeling, these kinds of issues can be stopped in the development cycle, instead of in production,” said Erlin.
Another expert said this type of leaking was unfortunately notorious within security circles.
“Cross domain includes site tracking scripts and site optimisation platforms which are notorious for causing leaks such as these,” explained Martin Jartelius, CSO at Outpost24.
“However, it is great to see that discussions to rectify this are surfacing,” said Jartelius. “Over the last few years, a range of breaches have been caused by supply chain or dependencies on platforms managed by others. However, with the amount of information crossing organisations trust-boundaries, there does not seem to be a substantial amount of consideration related to confidentiality and privacy. This also happens to be one of the issues with domains that GDPR was designed to address.”
Do you know all about security? Try our quiz!