Millions of airline customers were at risk of account takeovers due to an OAuth security flaw in a widely used travel service, allowing hackers to hijack sessions and misuse loyalty points.
What happened
A security flaw in a widely used travel service for hotel and car rentals put millions of airline customers at risk of account takeovers. The vulnerability, discovered by API security firm Salt Labs, could have allowed hackers to log into users’ accounts, modify bookings, and spend airline loyalty points. While the affected service was not named, it is reportedly integrated into dozens of commercial airline platforms. The flaw has since been reported and mitigated.
Going deeper
Attackers exploited OAuth, a common login method that lets users access third-party services without sharing passwords. They tricked users into clicking a malicious link that led to the rental service provider’s login page. When users logged in through their airline provider, attackers intercepted the session token, gaining full access to the victim’s account.
The attack was difficult to detect because it used legitimate customer domains with small, unnoticed changes in the URL. Security systems that typically block suspicious domains failed to recognize the threat. Stolen session tokens allowed attackers to log in as the user, modify travel plans, and spend airline loyalty points without needing a password.
What was said
Security researchers at Salt Labs described the attack vector, explaining that it exploited OAuth authentication flow weaknesses. “Since the manipulated link uses a legitimate customer domain (with manipulation occurring only at the parameter level rather than the domain level), this makes the attack difficult to detect through standard domain inspection or blocklist/allowlist methods,” they noted.
Upon disclosure, the affected service provider confirmed the vulnerability and quickly deployed a fix, mitigating the risk to users. However, the scale of potential exposure remains severe, given the integration of the vulnerable system across multiple airline platforms.
The big picture
The incident is a reminder that even trusted security systems can have weaknesses that hackers exploit. Many airlines and travel services rely on third-party tools for bookings and logins, but if those tools aren’t properly secured, they can become entry points for attackers. In this case, hackers were able to steal login tokens, letting them access accounts without needing a password. As online threats become more sophisticated, companies must strengthen their security measures, and users should stay cautious by avoiding suspicious links and enabling extra layers of protection where possible.
FAQs
How can I check if my airline account was affected?
While the affected service provider wasn’t named, monitor your airline account for unauthorized changes, unexpected bookings, or missing loyalty points. If anything looks suspicious, reset your credentials and contact customer support.
What should I do to protect my account from similar attacks?
Enable multi-factor authentication (MFA) if your airline offers it, regularly review account activity, and avoid clicking on unfamiliar or unexpected login links, especially in emails or messages.
Can airlines or travel services prevent this type of attack in the future?
Yes, they can enhance security by implementing stricter session validation, monitoring login patterns for anomalies, and educating users about phishing risks.
Farah Amod
