Tests by Symantec principal threat researcher Candid Wueest found that 67% of hotel websites leave customer information exposed.
Wueest ran these tests over 1,500 hotels in 54 countries, and across various hotel types – ranging from 2-star motels to 5-star resorts.
“While it’s no secret that advertisers are tracking users’ browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether,” said Wueest.
Key to these security flaws, said Wueest, is the fact that about 57% of hotels send a confirmation email that links users to their booking.
“Many sites directly load additional content on the same website such as advertisements. This means that direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request,” explained Wueest.
29% of hotel sites were also found by Wueest not to encrypt the initial link that is sent within the confirmation email, meaning that a potential attacker could intercept the credentials of customers who clicked on the HTTP link in the email.
To resolve this, Wueest recommends that hotels encrypt their booking confirmation links by using HTTPS requests to ensure that no credentials are leaked as URL arguments.