HQ/EMEAFind out how we can help your business
A critical vulnerability in OAuth authentication has exposed millions of airline customers to potential account takeovers, highlighting the significant security risks associated with third-party integrations. The flaw was found in a major online travel services provider, which is integrated with multiple airline websites worldwide.
A discovered OAuth flaw lets attackers hijack airline accounts, steal data, and misuse loyalty points via phishing links.
Researchers discovered the vulnerability while investigating API supply chain attacks. The flaw, which has since been patched, allowed attackers to redirect a user’s OAuth credentials to a malicious server, enabling them to obtain valid session tokens. With these tokens, attackers could log into the travel provider’s systems as victims, using their airline loyalty points to book hotels and rental cars.
The security lapse also gave attackers full access to victims’ stored information on the airline’s website, including personal data, mileage, and rewards. The attack method involved sending a phishing link that appeared to be a legitimate airline login page. Once a user authenticated, the attacker gained complete access to their travel system account. Given the nature of the attack, victims would have found it nearly impossible to detect the malicious link, as it appeared genuine.
Security experts noted that the flaw stemmed from the travel provider’s failure to verify that sensitive authentication credentials were sent to a valid domain. This oversight allowed attackers to manipulate the authentication flow, redirecting login credentials to their servers instead of the airline’s. The attack would have been indistinguishable from legitimate login attempts, making detection extremely difficult for both the airline and its users.
This type of OAuth implementation flaw is more common than many assume. In 2023, researchers found a similar vulnerability in Booking.com’s OAuth process, which allowed attackers to hijack user accounts when logging in via Facebook. Other companies, including Grammarly, Vidio, and the Indonesian e-commerce site Bukalapak, have also been affected by OAuth misconfigurations, exposing millions of user accounts.
The incident underscores the security risks posed by third-party integrations and the need for stringent authentication protocols. Since primary service providers, such as airlines, often have little visibility into these attacks, third-party companies must enforce strict security measures to protect customer accounts. Without robust verification mechanisms, OAuth vulnerabilities could continue to pose serious threats to online services and user data.
