Travel Site Typo Reveals Security Loophole
Travel site Booking.com says one customer getting access to another customer's bookings was not a security breach. The problem appears to be a system that was set up without considering the possibility of human error.
Website Arstechnica.com reported the case of a customer identified only as "Alfie," who received a confirmation email for a trip he knew nothing about. He was surprised to login to his account and find the details of the booking. (Source: arstechnica.com)
Typo Trouble
After Alfie made multiple enquiries to Booking.com's support staff, he received no useful response. He then reported the situation to Arstechnica, which also took "weeks" to get a proper response.
They explained the problem was simple: another customer had mistakenly typed Alfie's email address while making an online reservation. It appears the two customers had similar email addresses that meant a simple typo (and the fact they both had accounts with the site) was enough to cause the error. (Source: techradar.com)
The way the site works meant the booking was automatically added to Alfie's account. To make things worse, Booking.com said it was unable to remove the trip from his account, citing a violation of the privacy of the actual user - something that doesn't really make much sense. Instead the only option was for Alfie to manually delete the trip himself which, thankfully for the real customer, he did only after the travel dates had passed.
Nothing To See Here
Pressed on the problem, Booking.com reportedly said there was nothing to fix as the system was working as designed and there was no security breach. That may be the case, but there certainly appear to be data protection issues. Curious about the implications, Alfie asked Booking.com to "confirm" details about the booking and was given identifying personal information about the real customer.
Alfie also noted that although there's no obvious way for somebody acting maliciously to start this process, it's a matter of luck whether the unintended "recipient" of the booking was good-natured. He pointed out that a less charitable person might have cancelled the trip.
What's Your Opinion?
Do you buy Booking.com's explanation? Is this a serious problem? Is there an easy fix that wouldn't inconvenience legitimate customers?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Say what?
When I log onto Booking.Com, I use MY email address. Booking then sends a code to MY email so I can validate myself. How did "Brodie" Log on without "Alfie" getting an unexpected code?
I'd like to know a little more about what happened before giving an opinion about Booking's response.
I do know that Booking offers a 2-factor authentication option, that "Alfie" may or may not have been using.
I also see that Booking's codes seem heavy on the "alpha" side of "alphanumeric," unlike the usual 6-digit codes used by other sites. I wonder if this is a recent development.
Might this have actually been initiated at a third-party site?