Recently, security researchers discovered that the online travel agency Booking.com was susceptible to critical vulnerabilities that could have been exploited to seize complete control of a user’s account.
Early in December 2022, API security company Salt Security discovered the problems and notified Booking.com of them. In the ensuing weeks, patches were released, and Salt Security provided technical information.
OAuth, the authorization standard used by many online services to enable users to sign in with their Google or Facebook accounts, was the focus of the vulnerabilities discovered by Salt Security researchers in Booking.com’s implementation. The flaws at Booking.com were brought on by the Facebook OAuth integration.