Full Report
Cybersecurity researchers have disclosed details of a now-patched account takeover vulnerability affecting a popular online travel service for hotel and car rentals. "By exploiting this flaw, attackers can gain unauthorized access to any user’s account within the system, effectively allowing them to impersonate the victim and perform an array of actions on their behalf – including
Analysis Summary
# Vulnerability: OAuth Redirect Manipulation in Airline Travel Integration
## CVE Details
- CVE ID: Not specified in the article.
- CVSS Score: Not specified in the article. Severity is implied to be High due to account takeover potential.
- CWE: Likely CWE-601: Open Redirect (or a related OAuth manipulation vulnerability).
## Affected Systems
- Products: A popular online travel service integrated into "dozens of commercial airline online services" used for adding hotel and car rentals to airline itineraries. The specific vendor is undisclosed.
- Versions: Not specified. Assumed to be vulnerable prior to the patch deployment.
- Configurations: Systems utilizing OAuth authentication flows between the airline service provider and the downstream rental platform.
## Vulnerability Description
The vulnerability resides in the OAuth redirection mechanism used when users authenticate from the rental platform back to their airline service. Attackers could manipulate the `tr_returnUrl` parameter within the authentication request. This manipulation allowed the authentication response, which contained the user's session token, to be redirected to a domain controlled by the attacker instead of the intended return URL (which was formatted similarly to "..sec"). Successful exploitation leads to full account takeover on the travel service, allowing the attacker to use the victim's airline loyalty points for bookings, or modify/cancel existing reservations.
## Exploitation
- Status: Disclosed, and subsequently patched. (Implied non-public exploitation prior to disclosure, but highly weaponizable).
- Complexity: Low (Requires crafting a specially crafted link leveraging parameter manipulation).
- Attack Vector: Network (Via specially crafted links delivered via email, SMS, or malicious websites).
## Impact
- Confidentiality: High (Access to PII and session tokens).
- Integrity: High (Ability to perform unauthorized bookings, cancelations, and modify itinerary information).
- Availability: Medium (Potential disruption to user travel plans through unauthorized modification).
## Remediation
### Patches
- The security firm reported the issue, and the vulnerability is now **patched**. Specific patch versions are not detailed in the summary.
### Workarounds
- No specific workarounds are detailed, but general guidance would involve restricting access to external links until confirmation of patching is secured, or closely monitoring user accounts for unauthorized activity.
## Detection
- Indicators of Compromise: Unauthorized hotel/car rental bookings or cancellations initiated under a user's account, especially if loyalty points were utilized.
- Detection methods and tools: Monitoring outbound OAuth redirection URLs for unexpected or unusual `tr_returnUrl` parameters containing attacker-controlled domains or unexpected paths.
## References
- Vendor advisories: Not specified (Vendor name withheld).
- Relevant links - defanged:
- Discovery Report: hxxps://salt.security/blog/api-supply-chain-attacks---the-skys-the-limit