In an overwhelmingly digital society, application programming interfaces (APIs) are essential for a wide range of online processes, from financial transactions to logging in on third-party sites using a connected platform. The very accessibility that makes APIs useful in diverse cases, however, also makes them prime targets for cyber threats. Many organizations employ interconnected systems where an API vulnerability can grant attackers extensive access to accounts, networks, and data.
The travel and hospitality industries are increasingly reliant on APIs to simplify and streamline processes like flight and hotel bookings, which traditionally can be complicated and tedious. This can make things more convenient for customers, but it can also open the door for bad actors. Salt Labs has recently discovered a vulnerability in a heavily integrated travel service that can enable account takeover attacks.
The Salt Labs Discovery: A Critical Vulnerability in a Top-Tier Travel Service
Salt Labs discovered this vulnerability in a major travel service (anonymized as “Acme Travel”), which offers online hotel and car booking solutions. The company provides third-party integration with commercial airlines and other retail services, putting it in a position to be the entry point for a wide array of attacks. The potential impacts of this flaw are far-reaching: taking advantage of the vulnerability could enable attackers to fully take over target accounts.
This particular flaw works by tweaking the parameters of the requests generated in the login and connection process to redirect authentication credentials to the attacker. They can use this ill-gotten information to obtain valid session tokens and log in to the website. This can allow bad actors to carry out a variety of actions while posing as the victim. Airline integrations, while convenient for consumers, amplify the risks of third-party attacks by allowing attackers to take advantage of gaps in API security to gain unauthorized access to credentials that they can leverage to cause further damage.
Exploitation Method: How Attackers Could Hijack User Accounts
Attackers could exploit the above vulnerability by using malicious links to bypass authentication security and gain access to victims’ accounts. These links can be deployed through a variety of attack vectors, including phishing emails or text messages and malicious websites. Once the target clicks on the link, thinking it is legitimate, the server request is manipulated to grant the attacker access to the target’s credentials.
These attacks have implications not only for target accounts, but for the broader security landscape. Open redirect vulnerabilities “have been a known weakness for over a decade and are relatively easy to address,” according to John Bambenek, President at Bambenek Consulting, so the presence of a vulnerability like the one discovered by Salt Labs only highlights the level of complacency concerning API security and third-party risks. These vulnerabilities often go unaddressed and can lead to booking fraud, theft of loyalty points, and identity spoofing.
Why API Security Is a Growing Weak Link in the Supply Chain
APIs are an inescapable part of online interactions, but API security often falls to the wayside as developers, organizations, and users each assume that it is someone else’s responsibility. Third-party integrations with weak security controls present dangers by providing access to multiple interconnected services through a single access point. Targets may assume that between two legitimate and otherwise secure services, the API connecting them is secure as well; meanwhile, attackers can use API security weaknesses to gain access to those legitimate services.
Just in the past year, there have been multiple high-profile API security breaches impacting the travel and financial industries. Car rental company Avis experienced a major breach in August 2024 that was traced to an unsecured API endpoint and compromised the data of nearly 300,000 customers. FireTail Inc. published a 2024 report on the state of API security, which noted that the travel and automotive industries are especially affected by an extreme increase in API breaches.
Unfortunately, securing APIs at scale presents challenges. Many organizations employ vast networks of applications and services interconnected with any number of APIs, and they may find it difficult to obtain full visibility into all of the APIs in use, let alone ensure security across the board with all APIs and third parties.
Mitigating the Risk: Best Practices for API Security in Travel and Hospitality
To mitigate the risks of API supply chain attacks in the travel and hospitality industries, organizations can implement advanced solutions, best practices, and other security measures. Strengthening authentication and authorization mechanisms by mandating multi-factor authentication and enforcing password hygiene can block some account takeover attacks. Zero Trust and the principle of least privilege are also important to limit the spread of any intrusions.
Deploying solutions with advanced capabilities like real-time anomaly detection and monitoring can also help by detecting system intrusions that other security tools might miss. Leveraging AI-driven threat intelligence is crucial, as traditional threat detection tools, often searching for known threat signatures, are unable to sufficiently protect against many forms of attack.
Lessons from the Attack and the Future of API Security
It is vital for organizations to take steps to adequately address threats to API security. Implementing sophisticated solutions can help to detect unknown threats based on behavioral monitoring. Performing regular security audits and penetration testing can protect against API attacks by proactively detecting vulnerabilities that bad actors could potentially exploit. Organizations are also encouraged to foster industry-wide collaboration to work together in securing applications and protecting customer data.
