Two in Three Hotels Leaking Booking Details

Two out of three hotels are insecure and leak customers’ sensitive data. Researchers found that hotel websites leak customer information to third party agencies. Allowing malicious actors to view, change, and cancel guest bookings.

Symantec researchers tested over 1,500 hotels in 54 countries found over 67 percent of hotels websites exposed personal data of customers. This privacy issue was found spread across anywhere from two-star motels to five-star beach resorts.

These hotel sites are also leaking booking reference codes to third-parties like advertisers. A few sites revealed only numerical values and dates of stay to third parties. However, a majority of websites exposed personal data such as name, email address, mobile phone number, last four digit of credit card, card type, expiration date, and passport numbers.

Personal data was released when customers click on confirmation links sent to their inboxes. More than 57 percent of sites which sent confirmation links, allowed customers to go straight to their reservation without having to log in. Although, this link is sent to customers, it is inadvertently shared with third parties present on the site.

Privacy risks exist in the link itself because it is unencrypted; about 29 percent of hotel sites failed to encrypt the initial link sent to customers.

“This means a potential attacker could intercept the credentials of the customer who clicks on the HTTP link in the email.

Each time a booking is made, about 176 requests are sent. Many of the requests contain details on the reservation. Further, the data is located in the referrer field. This means that reference codes for booking are shared with more than 30 service providers, social networks, search engines, advertisement and analytic services.

Malicious actors can easily go in log into reservations, view personal details, and cancel booking. Wuesst said that even after reservations are canceled, malicious actors can go in and steal personal data.

Contact LIFARS for penetration testing services