14 DAY TRIAL // A vulnerability in the web service of Marriott Hotel allowed a security researcher to access information about the reservations of other customers, as well as pull some financial details.
A security researcher noticed that when requesting details about upcoming reservations on the Android app after logging into the Marriott Rewards account, the information would be retrieved without any protection measure.
Unprotected session leads to sensitive customer info
Randy Westegren, who is also a senior developer with XDA-Developers, observed that there was no cookie or authorization header present, leaving room for obtaining details about reservations of other clients.
This could be achieved based only on the membership ID. “Marriott was fetching upcoming reservations with a completely unauthenticated request to their web service, meaning one could query the reservations of any rewards member by simply specifying the Membership ID (rewards number),” he said in a blog post on Sunday.
By turning to a friend that had a reservation to a Marriott hotel, Westegren was able to retrieve details that allowed him to completely manage a reservation as the process required only the number for the booking and the last name of the customer, both available in unprotected mode in the reservation request from the Android app.
Glitch allowed control of a customer's reservation
By leveraging this security oversight, the researcher could have cancelled his friend’s reservation. More than this, on a different screen, he got the last four digits of the payment card number, along with name, email address, expiration date of the card, and the address of the customer.
In order to demonstrate his findings, Westegren created a proof-of-concept, which he sent to someone working as an information security engineer for the hotel. Although the researcher had a tough time finding the right person, Marriott responded promptly and solved the issue in about a day.
Randy Westegren is far from being at the first disclosure of this sort. Last week, he published details about a vulnerability in the My FiOS mobile application from Verizon, which allowed full access to the inbox of any customer of the carrier by simply changing the user ID in the web requests.
