Researchers have exposed a flaw in the authorisation system of user accounts to gain full visibility into customers personal or payment-card data. OAuth is an authorisation standard used to allow cross-application access delegation for sites to share login credentials, for example using a Facebook or Google login instead of signing up with new login credentials. Researchers discovered an open redirection vulnerability in Booking.com and achieved access via the Facebook option. They ultimately exploited three security issues and chained them together to gain full account takeover. "Once logged in, the attacker could have performed any action on behalf of the compromised users and gain full visibility into the account, including all of a user's personal information," researchers wrote.
Read more here.
