- This is the SSD enclosure I trust to keep my storage drive safe and cool when traveling
- Have a .gov email address? You can get Perplexity Pro free for a year - here's now
- Mistral AI says its Small 3 model is a local, open-source alternative to GPT-4o mini
- The first EU AI Act deadline is here: How can enterprises simplifying compliance?
- Timeline of HPE’s $14 billion bid for Juniper
API Supply Chain Attacks Put Millions of Airline Users at Risk
A recently discovered vulnerability in a popular online travel service has put millions of airline users worldwide at risk of account takeover.
The service provides hotel and car rental booking solutions and is integrated into dozens of commercial airline online services. This vulnerability allowed attackers to gain unauthorized access to any user’s account within the system, enabling them to impersonate the victim and perform various actions on their behalf.
According to Salt Labs, the account takeover vulnerability could be exploited through a malicious link that bypasses the travel service’s security checks.
The vulnerability, now fixed, was discovered in a popular online travel service, referred to as “Acme Travel” in the report to preserve anonymity. The service is used by many commercial airlines and allows users to book hotels and car rentals using their airline loyalty points. By exploiting this flaw, attackers could book hotels and car rentals using the victim’s loyalty points, cancel or edit booking information and more.
How the Attack Works
The vulnerability was exploited through a malicious link that bypassed the travel service’s security checks. Attackers could distribute the link via email, text messages or attacker-controlled websites to lure victims.
Once the link was clicked and following successful authentication to the official airline service, the attacker gained full access to the user’s account within the travel system.
The researchers found that the tr_returnUrl parameter in the initial login request could be manipulated to redirect the user’s credentials to a server under the attacker’s control. This allowed the attacker to capture the user’s credentials and gain unauthorized access to their account.
“Open Redirects have been a known weakness for over a decade and are relatively easy to address,” said Bambenek Consulting president, John Bambenek.
“What this shows is that there is a degree of complacency in this industry thinking that the sensitivity of the information is low, and while perhaps that was true when these systems were created, with the proliferation of award points that have actual value, it’s time to ensure the basics of web security are put in place.”
Attack Mitigation Steps
To prevent similar API supply chain attacks, Salt Labs recommends:
- Service users to exercise caution when receiving links from untrusted sources, even if they appear legitimate
- Service consumers to pay special attention to the integration point between services and verify that everything meets desired security standards
- Service producers to ensure that services and integration points are well-secured and consider using third-party vendors to identify posture gaps and anomalous traffic
“Securing APIs becomes increasingly challenging when integrating with third-party services,” added Black Duck fellow Ray Kelly.
“Managing the sharing of authentication tokens, navigating complex chained API flows and enforcing proper authorization on API calls can be daunting, particularly for large organizations. Strengthening the software supply chain in such ecosystems requires expertise, thorough planning and time to address vulnerabilities effectively to help mitigate risks before deploying to production.”
