Image

Image

Image

Image

"...in order to completely manage a reservation on Marriott’s website, one only needs the reservation number along with the last name of the customer."It's easy to see how a vulnerable database like this could easily be exploited by cybercriminals eager to scoop up the personal information of travellers. Fortunately, Westergren is a strong believer in responsible disclosure - rather than making a quick name for himself by going public about vulnerabilities before companies have had a chance to fix them. Unfortunately, Westergren found it very difficult to find someone at Marriott who could fix the problem.
"It was difficult to get in contact with the right person at Marriott. I attempted the best practice email format for security issues ([email protected]), but the mailbox didn’t exist. After over a month of trying Twitter and some LinkedIn contacts, I finally got in touch with the someone in information security."Fortunately, once Marriott's security team were briefed on the seriousness of the issue, they resolved it within approximately 24 hours. That's an impressive turnaround by Marriott, but it's disappointing that it wasn't more obvious how to contact the hotel chain about a serious security hole. If you run an organisation which collects users' information, make sure you tightly control access to the sensitive data and don't make a simple mistake like allowing an attacker simply alter a user ID to see other people's records. Also, be sure to make it clear on your website how people should contact you if they believe they have found a security issue. Finally, if Westergren drops you an email about what he's found while checking out your smartphone app, pay attention. Chances are that you will want to fix it as soon as possible.