Powder Point: every third tour and hotel booking service contains gaps

The most popular mobile applications for booking hotels, tours, and transportation contain serious vulnerabilities. The greatest risk for tourists is represented by gaps that allow intruders to gain access to personal data, according to a recent study by AppSec Solutions. Tourists face frequent phishing threats. Such schemes are usually aimed at stealing money and confidential user data. A number of services believe that there is no evidence of the reliability of this study, many doubt the quality of the methodology of the conclusions. However, some third-party information security experts confirm the concerns. Details can be found in the Izvestia article.

An unarmored reservation

Absolutely all popular mobile applications for booking hotels and tours, which Russians download from various sites, contain vulnerabilities, AppSec Solutions told Izvestia. A new study has covered applications from the top 100 most downloaded.

In total, the analysts found 1,336 vulnerabilities of varying severity levels. Of these, 381 fit the "high risk" category, meaning it can lead to leaks of sensitive data and harm users or the owner company.

Photo: IZVESTIA/Sergey Konkov

Incorrect storage of valid tokens from other services has become a common problem among travel applications, which could theoretically give an attacker access to data using a third-party service. More than a hundred such tokens have been found in travel applications. One of the high—risk vulnerabilities is the formation of an Intent (task), that is, an object that serves to communicate between the components of a mobile application. Data from third-party sources can lead to the formation of an Intent with harmful elements, and make the operation of the application unpredictable.

"In addition to technical attacks, tourists face frequent phishing threats, such as sending fraudulent invitations to fake booking sites," says Yuri Shabalin, Stingray Product Director at AppSec Solutions. — It is possible to distinguish such resources from real ones only by minor details, such as a domain name or a security certificate. Such schemes are usually aimed at stealing money and confidential user data.

Gad in the direction: how Russians are deceived when buying burning vouchers

Scammers use last year's phishing site templates

Interestingly, the recent findings of a study by the Roskachestvo Center for Digital Expertise on the security of hotel booking applications claimed that the analyzed services met the relevant criteria and showed good results in testing. It was emphasized that the developers take a responsible approach to the issue of the safety of personal and payment data of users. Interestingly, the study failed to identify any critical vulnerabilities that would slow down applications or seriously affect their performance.

Photo: IZVESTIA/Eduard Kornienko

A number of large services and aggregators did not want to discuss the research data from Russia's largest vendor. Roskomnadzor (RCN) told Izvestia that with the holiday season approaching, cases of fraud in the tourism sector have indeed become more frequent. Attackers create fake booking sites that copy popular services. They look almost identical to the originals, but differ by one letter in the name or small details in the design. Once on such a site, a person enters the card details, but the booking does not take place, and the money goes to the scammers.

"Another scheme is fake refund notifications,— the RCN press service says. — The tourist receives a message supposedly from the tour operator asking him to enter the card details for a refund. By entering the data, the person transmits it to the intruders. In order not to become a victim of such schemes, check the website address before paying, do not follow suspicious links, choose trusted services and avoid requirements for a 100% prepayment. And if you are offered to enter a CVV code for a refund, this is a clear sign of fraud.

Cash experience: fraudsters began to deceive Russians on vacation under the guise of exchangers

They find victims in special country chats.

Which vulnerabilities are most dangerous?

As explained by Rustam Huseynov, chairman of the RAD COP company and an expert at the ABYSS Association, there are currently a large number of vulnerabilities in applications, but in the context of the hotel sector, those related to insufficient control of access rights to user data may be critical.

"As a result, attackers can buy or book hotels on behalf of another person, steal their personal promo codes for discounts, spend accumulated bonuses, and so on," says Rustam Huseynov. — There is also the potential for personal data leaks due to the substitution of an identifier in requests (IDOR), which can later be used to implement attacks using social engineering methods. I'm not talking about the "eternal classics" with the ability to embed scripts on web resources of services such as xss, etc.

Photo: IZVESTIA/Sergey Lantyukhov

Users should keep an eye on which specific applications are downloaded from the services, Softline Group Director of Information Security told Izvestia Maxim Chashchin. Now, according to him, there are many clone sites and applications that have enough vulnerabilities inside, or they were originally created to steal data and read information from the device. When auditing the IT landscape and systems, weaknesses are immediately visible: encryption errors, outdated software, and SQL injection vulnerabilities, the expert notes.

"It's hardly possible to talk about any privacy when using modern devices — analytical trackers collect information about user movements, purchases, search queries, and so on," says Roman Safiullin, head of information security at InfoWatch ARMA. — Trackers in travel applications do not differ globally from similar trackers in many other applications — they also collect information about user behavior in order to create a "digital portrait" of him and then offer him more suitable goods and services through targeted advertising.

Photo: IZVESTIA/Sergey Lantyukhov

Maxim Chashchin urges not to forget about caution. You should always use multi-factor authentication and be careful when using unsecured Wi-Fi networks, especially at airports, food courts, parks, and transportation. It is necessary to check whether a particular hotel service is available in other sources: on maps and on other resources. Also, do not accept all consents at once, read the notifications carefully, and do not save or store card data inside unreliable services. It is worth getting special virtual cards for specific trips with small amounts, no more than 10-20 thousand rubles. It's better to take the time and enter them manually and once.