Thousands of hotel websites across the world, from those of two-star hotels in the countryside to luxurious five-star resorts on the beach, are leaking guest details regularly to third-party sites such as advertisers and analytics companies, Symantec has found.
According to Candid Wueest, principal threat researcher at Symantec Corporation, websites of as many as 67 percent of more than 1,500 hotels in 54 countries he tested were found leaking booking reference codes to third-party sites such as advertisers and analytics companies.
Wueest noted that data leaked by hotel websites could enable advertisers and third-party services to "log into a reservation, view personal details, and even cancel the booking altogether."
Third-party services can access PII of hotel guests
He also found that a majority of hotel websites also leaked personally identifiable information of their guests that included full names, email addresses, postal addresses, phone numbers, passport numbers, and last four digits of credit card, card type, and expiration dates.
When people make reservations on hotel websites, the hotels send them booking confirmations via email with a direct access link to their booking. Normally, this direct access link will only be available to the recipient. However, a large number of sites directly load additional content on the same website and therefore also have access to the direct link, indicating that all advertisers can access booking details.
"The same data is also in the referrer field, which will be sent along by the browser in most cases. This results in the reference code being shared with more than 30 different service providers, including well-known social networks, search engines, and advertisement and analytics services. This information could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether," Wueest said.
Hotel websites not encrypting HTTP links in emails
He added that over 29% of hotel websites do not encrypt the initial link sent in emails to customers and this allows a potential attacker to intercept the credentials of the customer who clicks on the HTTP link in the email and to even modify the customer's booking.
"Unfortunately, this practice is not unique to the hospitality sector. Inadvertent sharing of sensitive information over URL arguments or in the referrer field is prevalent among websites. In the past couple of years, I have seen similar issues with multiple airlines, holiday attractions, and other websites. Other researchers reported similar issues in February 2019 wherein unencrypted links were used across multiple airline service providers," he added.
"Ultimately these companies are letting their customers down as they should require more thorough authentication. A simple addition would be two-factor authentication via a phone call or SMS. These companies already require your phone number so they could use it for two-factor authentication on top of your email. This wouldn’t impede their existing process and ‘ease of use’ but it would significantly bolster the security requirements of these services," said Naaman Hart, Cloud Services Security Architect at Digital Guardian.
"Hotels desperately need to get up to speed with security as it’s still a common occurrence for them to photocopy your passport and physically note down your credit card details when you visit and store it in a manual file in a cupboard. Yes, GDPR should be all over this but hotels are so behind in their processes it’s laughable. If GDPR requires proof of data destruction on request, are they going to send us a video of them shredding the paper? Who knows, but it puts into perspective why they’re clearly struggling," Hart added.