[ad_1]
The main problem was booking confirmation emails, according to Candid Wueest, lead threat researcher at Symantec. Many messages include an active link that directs to a separate website where guests can access their reservation and reconnect. The booking code and the email address of the customer are often in the URL itself, which in itself does not matter.
However, as in many other businesses, hotels share your personal information with third parties, which means that your booking code and email address are also visible. The attacker would only need to have access to your booking code and email to find your address, full name, mobile phone number, pbadport number and other extremely sensitive information. Symantec also found that fewer hotels did not encrypt the links sent in confirmation emails, which gave the attackers another window of opportunity.
A spokesman for Symantec told Engadget that the company had contacted the hotels with the security breach and that most, but not all, hotels were taking steps to fix it. Symantec did not disclose which hotels were named in the study, but said it had viewed a total of 45 different websites, including boutique hotels and large chains with hundreds of hotels. locations, covering more than 1,500 hotels.
What can customers do in the meantime to protect their privacy? Symantec recommends that users use a VPN to change their hotel reservation when connected to the public WiFi network. In addition, you can check the URL of your confirmation link to see if the details of your booking are exposed. A URL with the security vulnerability would look like this: https: //booking.the-hotel.tld/retrieve.php? prn=1234567&[email protected]
Wueest said in an email to Engadget that he had also consulted five search engines for trips and discovered similar security loopholes. "This (… conclusion) shows that it is a general problem in the travel industry and not just a local problem," he writes.
Source link