Skip to content ↓ | Skip to navigation ↓

Here’s a piece of advice for anyone responsible for securing a corporation’s data: If you discover security researcher Randy Westergren is using your app, you had best take a long hard look at whether you are protecting your users’ information properly.

Because, if you’re not, there’s a good chance that he might be about to tell you what you’re doing wrong.

Westergren, who has recently uncovered security flaws in wine-loving app Vivino and Verizon’s My FiOS app, has most recently turned his attention to the Marriott International Android app, used by travellers around the world to book their hotel stays.

The issue, patched last week, made it simple for attackers to access the reservation and personal details of Marriott customers via its web services, exposing check-in dates, victims’ last names, and victims’ contact information including physical address, email address and partial payment card data.

Communicating with Marriott's web services

It turned out that Marriott’s Android app didn’t need to use any authentication to query Marriott’s web services for reservation information. All it required was a Membership ID.

Which meant that if Westergren, or someone malicious, wanted to access the details of many Marriott Rewards members all he would have to do is change the Membership ID data being used to query the web server. Sure enough, Marriott’s database began to spit out information:

Data from Marriott's servers

Westergren discovered that this was more than enough information to allow him to cancel, or alter, other people’s hotel reservations:

Cancel reservation

In his blog post describing the vulnerability, Westergren explains how he discovered that no authentication was required to fetch details of an upcoming reservation.

All that was needed was the rewards number Membership ID and the traveler’s surname – both pieces of information which had been provided by the insecure web service.

“…in order to completely manage a reservation on Marriott’s website, one only needs the reservation number along with the last name of the customer.”

It’s easy to see how a vulnerable database like this could easily be exploited by cybercriminals eager to scoop up the personal information of travellers.

Fortunately, Westergren is a strong believer in responsible disclosure – rather than making a quick name for himself by going public about vulnerabilities before companies have had a chance to fix them.

Unfortunately, Westergren found it very difficult to find someone at Marriott who could fix the problem.

“It was difficult to get in contact with the right person at Marriott. I attempted the best practice email format for security issues (security@marriott.com), but the mailbox didn’t exist. After over a month of trying Twitter and some LinkedIn contacts, I finally got in touch with the someone in information security.”

Fortunately, once Marriott’s security team were briefed on the seriousness of the issue, they resolved it within approximately 24 hours.

That’s an impressive turnaround by Marriott, but it’s disappointing that it wasn’t more obvious how to contact the hotel chain about a serious security hole.

If you run an organisation which collects users’ information, make sure you tightly control access to the sensitive data and don’t make a simple mistake like allowing an attacker simply alter a user ID to see other people’s records.

Also, be sure to make it clear on your website how people should contact you if they believe they have found a security issue.

Finally, if Westergren drops you an email about what he’s found while checking out your smartphone app, pay attention. Chances are that you will want to fix it as soon as possible.

Hacking Point of Sale
  • Coyote

    As soon as I saw on your RSS Feed the title _Marriott Customers' Personal Details Exposed by Simple Web Flaw_ I somehow suspected exactly as you elaborate on. I guess that is because of the 'Simple' part (combined with many other sites having this same flaw). Funnily enough, when you also give the name 'Randy Westergren' – despite the fact I couldn't have recited his name to save my life – I guessed similar as you say, because indeed his other disclosures.

    It is scary just how many sites (like, say, > 0) are vulnerable to this. Yet, at the same time, indeed 24 hours is quite impressive time to fix it. HOWEVER, that it took him that much effort to contact them, is another issue entirely (and somehow counts against the 24 hours although at least it is something).

    One would like to believe that more webmasters would consider this. But unfortunately – and here is the problem – webmasters are designers at best (usually, not always; there obviously are exceptions) and so they aren't really experienced in security. Let's be honest, too: even those who are, and even those who are knowledgeable and experienced with secure programming (the two words together) can make mistakes (like everyone) but worse is that they sometimes neglect certain things, too (just like everyone else!). So if that is the case it isn't any surprise that those inexperienced (if not flat out ignorant) also make these errors. I say often that it is very hard to teach security on a whole so the key is awareness. Unfortunately making people aware that they aren't aware involves finding them first and someone else might find them before, and that someone else might be more malicious. Lastly, even if someone with ethics finds them, the problem is: are the webmasters (or those responsible for fixing any issues) willing to accept their mistake(s)? That is (one of) the risk(s) of the openness of the Internet but it is equally important that it IS open (of course, the web is what most think of with the Internet – even though that is much younger than many other protocols – and the web is also one with many risks because it is what most use on the Internet). It is like everything in this world: all good comes with bad and the reverse is true; all bad comes with good.

  • the_mole

    Hmmmm IHG (Holiday Inn, Crowne Plaza etc. etc.) have a similar process

  • These flaws should be taken very seriously from the data and personal information security experts in order to sustain a successful business and avoid trouble with the law.