Vulnerability in Airline Integration Service enables A Hacker to Gain Entry To User Accounts

A recent security vulnerability in a widely used airline integration service has exposed millions of users to account takeovers, raising concerns over the safety of online travel services.

Security researchers from Salt Labs discovered the flaw, which enabled hackers to access user accounts without authorization, potentially compromising sensitive information and airline loyalty points.

The Exploit

The vulnerability lies in integrating a popular third-party travel booking service (“Acme Travel”) and major airline websites.

This integration allows airline customers to book hotels and car rentals using their loyalty points. However, the API trust between the airline and Acme Travel became a weak link attackers could exploit.

At the heart of the issue is manipulating a parameter (“tr_returnUrl”) during the OAuth authentication process.

Attackers could create a malicious link that redirected authentication tokens (essentially user credentials) to servers under their control.

Once a legitimate user clicked the link and authenticated into their airline account, the attacker intercepted these tokens, gaining full access to the victim’s Acme Travel account.

This exploit allowed attackers to impersonate users, book hotels or car rentals using their loyalty points, and even update or cancel reservations without the user’s consent.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

How the Vulnerability Worked

The normal login process between airlines and Acme Travel involves the following steps:

1. A user is redirected to Acme Travel from the airline’s website.
2. Acme Travel initiates an OAuth flow, sending the user back to the airline’s login page.
3. The user authenticates, and the session credentials, including tr_code and tr_id, are sent back to Acme Travel.
4. The user is granted access to their account on Acme Travel.

However, Salt Labs researchers discovered that the tr_returnUrl parameter, which determines where the tokens are sent, wasn’t validated by the backend server.

Attackers could replace this value with a URL they controlled. Once a user logged in, the attacker received the tokens, enabling account hijacking. For example:

• A malicious link might look like:
  https://acme.saltairlines.sec/start?tr_returnUrl=http://attacker-site.com/malicious

Unsuspecting users clicking on such a link would unknowingly send their credentials to the attacker.

Potential Impact

The implications of this vulnerability were significant:

• Account Takeover: Hackers could gain unrestricted access to victims’ accounts, using their airline loyalty points to book services.
• Privacy Breach: Personal information, including booking details, could be exposed.
• Financial Loss: Victims could lose valuable loyalty points without realizing it.

The integration service is used by dozens of major airlines globally, meaning millions of users may have been at risk.

Mitigation and Resolution

Salt Labs followed a responsible disclosure process, alerting the travel service provider to the vulnerability. The company confirmed the issue, implemented fixes, and closed the security gap.

As of now, the vulnerability has been mitigated, preventing further exploitation. To protect themselves, users are advised to:

1. Avoid clicking on unfamiliar or suspicious links, especially those claiming to redirect to airline or travel services.
2. Monitor loyalty point balances and account activity for unauthorized transactions.
3. Use multi-factor authentication (MFA) where possible for added security.

This incident underscores the increasing risks posed by API supply chain attacks, where third-party integrations become the focus of exploitation.

While APIs enable seamless digital experiences, they also expand the attack surface. If one service fails to implement robust security measures, the entire chain can be compromised.

“This case highlights a critical need for better API governance and validation mechanisms,” said a spokesperson for Salt Labs.

“Every service provider must ensure rigorous verification of third-party interactions to prevent such vulnerabilities from slipping through.”

The discovery of this vulnerability serves as a wake-up call for organizations relying on integrated services.

While the rapid adoption of APIs has revolutionized digital interactions, security must remain a top priority to ensure the protection of user data and trust.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request