CybersecuritySecurity NewswireCybersecurity NewsHospitality & Casinos

Security research discovers vulnerabilities in popular travel service

By Jordyn Alger, Managing Editor
Luggage

American Green Travel via Unsplash

January 29, 2025

Research from Salt Labs reveals a vulnerability in a popular online travel service, specializing in hotel and car rentals while integrating with airline services. 

The flaw discovered is an account takeover vulnerability, which could allow a malicious actor to gain unauthorized access to an account and impersonate the user. From there, a malicious actor could perform a variety of actions, including: 

  • Cancelling booking information 
  • Editing booking information 
  • Booking rentals with the users airline loyalty points 

This vulnerability can be leveraged via a malicious link evading the travel services security measures. This link may be distributed through text messages, emails or a website controlled by the threat actor. Upon a user clicking the link and authenticating into the online service, the malicious actor gains full access to their account. 

Mr. Akhil Mittal, Senior Manager at Black Duck, comments, “This vulnerability shows a growing and recurring issue in API security — convenience often takes priority over security. Travel platforms are built to provide seamless user experiences, but that ease of use can create blind spots. Here, attackers didn’t use sophisticated techniques; they exploited weak validation processes and a failure to manage trust between integrated systems.

“What stands out to me is the lack of granular access controls and proper token validation. These are basics in API security, but they’re often overlooked in favor of faster integrations or simpler designs. Organizations need to step back and ask: Are we truly enforcing strong authentication at every step? Are we watching for unusual behaviors, like spikes in link activity or unexpected account access? And are we taking the time to understand the risks our third-party partners might bring into the mix?

“This isn’t just about fixing a technical issue or patching vulnerabilities. When systems are interconnected, the risks don’t just add up; they multiply. One flaw in an API can quickly spread, putting millions of users at risk. That’s why APIs need smarter security, like dynamic trust validation, validate behavior and detect anomalies in real time to prevent exploitation.” 

KEYWORDS: API security online security threat intelligence travel cybersecurity

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jordynalger

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

Related Articles

Related Products

See More ProductsSee More Products

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!