Researchers have found a security flaw in Booking.com that affects users that log in using Facebook.
Hackers could steal data and take different actions by pretending to be the victim.
- The breach takes advantage of a flaw in OAuth, a technology that is used by hundreds of thousands of companies globally and millions of users.
- OAuth essentially allows users to log in to websites using their credentials for Facebook, Google, etc.
- The researchers stated they tracked the flaws by manipulating specific steps in the OAuth sequence.
- After discovering the flaws, researchers notified Booking.com, which claims to have patched them since then.
- Booking claims that the flaw has not been used by threat actors to steal any user data.
- 90% of the users preferred social login over traditional email registration on websites.
- OAuth has been targeted by hackers numerous times. In 2022, GitHub confirmed several organizations were compromised by a threat actor using stolen OAUTH tokens to access their private repositories.
- Microsoft Exchange was also breached by hackers who installed OAuth applications and managed to control Exchange servers and spread spam.