A newly disclosed OAuth redirect vulnerability in a widely used online travel booking service could have exposed millions of airline customers to account hijacking, cybersecurity researchers have revealed. The now-patched flaw, discovered by API security firm Salt Labs, allowed attackers to seize full control of user accounts, potentially enabling unauthorized hotel and car rental bookings using victims' airline loyalty points.
🔥 How the OAuth Flaw Led to Account Takeover
According to a report shared with The Hacker News, the flaw stemmed from OAuth-based authentication used in third-party travel service integrations with major airline websites. The affected service, though unnamed, is embedded in dozens of commercial airline platforms, allowing users to seamlessly book hotels and rental cars.
Attackers could exploit the weakness by sending a maliciously crafted URL through email, SMS, or phishing websites. When unsuspecting users clicked the link, the OAuth login flow would redirect authentication tokens to a malicious site controlled by the attacker—granting full access to their accounts.
🚨 Why This Vulnerability Was So Dangerous
Many airline platforms allow users to log in to rental booking services using their airline credentials. During this process, the rental service generates a redirect link to complete authentication. The exploit worked by manipulating the "tr_returnUrl" parameter, which redirected users' session tokens to an attacker’s domain, leading to unauthorized access to their accounts and personal data.
🔹 Key Risks:
✔️ Account Hijacking – Full control over a user’s travel service account
✔️ Loyalty Point Theft – Unauthorized hotel and car rental bookings
✔️ Personal Data Exposure – Access to sensitive customer details
✔️ Booking Manipulation – Editing, canceling, or misusing travel reservations
🔎 Why Traditional Security Measures Failed
This exploit was particularly difficult to detect because the malicious URL appeared legitimate, using an authorized airline subdomain. Standard domain inspection, blacklisting, or whitelisting techniques were ineffective since the manipulation occurred at the parameter level, not the domain level.
Cybersecurity researcher Amit Elbirt of Salt Labs emphasized that API supply chain attacks are a growing threat, where adversaries exploit weak links in third-party integrations to compromise user accounts.
🛑 "Beyond mere data exposure, attackers can perform actions on behalf of the user, such as creating orders or modifying account details," Elbirt warned.
🛡️ Strengthening Security in Third-Party Integrations
This vulnerability highlights the critical need for stronger OAuth security measures in third-party API integrations. Organizations should:
✅ Enforce strict URL validation to prevent redirect manipulation
✅ Implement additional authentication layers such as MFA
✅ Use advanced anomaly detection to spot unusual login behaviors
✅ Conduct rigorous penetration testing to identify OAuth weaknesses
As API-based cyber threats continue to rise, ensuring secure service-to-service interactions is essential to protect users from account hijacking, data theft, and fraudulent activities.
