Since the COVID-19 crisis, many travel management companies have been ground to a halt. But what will happen when the borders open back up and employees get back on planes?

For many organizations, business travel is a core operational element that enables growth through networking and meeting existing and future customers and partners. Thus, TMCs are hired to become reliable partners who can support their clients with travel plans. Yet inadequate security measures in protecting critical travelers’ information assets can be a reason behind TMCs’ significant revenue loss and reputational damage. Not long ago U.S. corporate travel management firm, Carlson Wagonlit Travel has suffered an intrusion, and it is believed the company paid $4.5m to the hackers who stole reams of sensitive corporate files and said they had knocked 30,000 computers offline, according to a record of the ransom negotiations seen by Reuters.

As DataArt’s security team has gained experience in performing penetration testing services for the corporate travel sector, in this article we will describe a few examples of security vulnerabilities common within TMC web solutions.

Perhaps the threat that can affect business the most is the access controls issue. The exploitation of this vulnerability can give a hacker almost full control over a company's sensitive data. Unfortunately, multi-tenant corporate travel platforms risk missing function-level access controls which leads to a situation where a malicious user without appropriate permissions is able to obtain information about any deal/user/trip/etc. existing in the system.  As a possible example of such an attack, a travel manager of one company is able to obtain detailed information about another company’s employees registered within the same TMC, including their passport details, credit cards, etc. So, it is important that users are given access to only their own data and parts of the system that they need to work with, and at a level that’s appropriate to their role.

Moreover, the situation is even more dramatic when access control issues are combined with unauthorized access to API documentation. In cases when API documentation on third-party services is not hidden, attackers can use it to connect to these services disguised as developers and try getting access to sensitive information or abuse the system.

Still, weak password quality controls are remaining a key factor in accounts hijacking, giving an attacker the opportunity to easily guess the targeted accounts via brute-force attacks. These attacks can be mitigated by setting up a limitation on the number of attempts to enter an incorrect password. For example, after the third attempt, the system can either lock the account or require the additional CAPTCHA challenge to slow down the password guessing. Also, it is a common threat when an application returns user`s password back to the client in an unencrypted way via any public channel (mailbox, phone, etc.) specified during registration. Once an attacker gains access to the victim`s mailbox, he/she will be able to use supplied credentials and thus steal the business traveler’s account. The attacks of this kind could be mitigated by using secure credential management schemes and through adequate secondary authentication methods.

Vulnerable and insecure protocols are also a big source of problems for business travel applications. They are often affected by multiple cryptographic flaws and caused by weak configurations of the web servers and middleware. It is strongly recommended to check whether the protocol is still supported and choose the safer alternatives if it is deprecated or reached the end of life.

Many products from corporate travel are still vulnerable to such well-known types of vulnerabilities as XSS attacks (cross-site scripting). The main threats of cross-site scripting attacks are the following:

  • XSS attacks are dangerous since an attacker gains full access to a victim's browser and can use it for malicious actions.
  • The results of these attacks lead to theft of sensitive information stored in the browser (active sessions, personal data), phishing attacks, injection of malicious code (e.g., for hidden mining of bitcoins), access to the device's camera/microphone, and much more.

The following example can illustrate the danger of XSS scripting: an attacker can change the structure of a TMC’s solution by displaying a new window that will require re-entering a victim's credentials to continue working. After the password is entered, it is sent to the malefactor thus giving him/her full access to the business traveler’s account.

All in all, in order to avoid cybersecurity incidents, we recommend having a pentest performed by an independent security vendor at least annually or whenever a significant change is made to a company’s environment. Also, the rules of secure coding are important as ever and it should be noted that all related business assets are kept in safety (API documentation, code-signing assets, other related artifacts).