Are you planning to go on a vacation? Do make sure that you pick the right hotel or else you may have your information leaked. A Principal Threat Researcher at cybersecurity company Symantec, Candid Wueest, recently tested websites of 1,500 hotels in 54 countries to understand how many of these could potentially leak the personal data of guests staying at their property.
The results of the research were shocking. Wueest found out that around 67 percent or two in three of the websites that he studied inadvertently leaked the booking codes to other third-party websites. The information is also being shared with advertisers and analytics companies.
We should add here that the websites that Wueest tested included two-star hotels located in the countryside, as well as luxurious five-star resorts. Speaking about this, Wueest said, “Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations. Some hotel sites I tested are part of larger, well-known hotel chains, meaning my research for one hotel applies to other hotels in the chain.”
According to Wueest, a number of the websites that he studied disclosed personal data like full name, email, address, postal code mobile number, last four digits of credit card, card type, and expiration date and even the passport number. The leak of so much information is very shocking.
Wueest explained the matter in more detail saying, “More than half (57 percent) of the sites I tested send a confirmation email to customers with a direct access link to their booking. This is provided for the convenience of the customer, allowing them to simply click on the link and go straight to their reservation without having to log in.”
It is worth noticing that since the email requires a static link, HTTP POST web requests are not really an option. This basically means that the booking reference code and the email are passed as arguments in the URL itself. We should point out that on its own, this would not be an issue. However, a number of sites directly load additional content like advertisements on the same website.
This means that direct access is shared with other resources. At times it is done directly, however, at other times is it done indirectly through the referrer field in the HTTP request.
According to Wueest, his tests show that an average of 176 requests are generated per booking, although not all these requests contain the booking details. We must add here that going by the number, it can be concluded that the booking data could be shared quite widely.
Furthermore, it has also been revealed that the booking data is also available when the customer cancels the reservation. The research also indicates that hotel comparison websites and booking engines also leak customers’ data. Wueest said, “From the five services that I tested, two leaked the credentials and one sent the login link without encryption.”