Hotel chain Marriott has fixed a problem with its Android app-based reservation system that might have inadvertently exposed personal data to potential hackers, SC Magazine reported.
The app’s main problem was that it did not use any token or authorization protocol to access reservations, which meant that a hacker could use a script to run a series of random number combinations until one matched a Marriott member ID number. From there, the hacker could access addresses, contacts, birthdays, as well as the last four numbers of a member’s bank card that was stored in the app.
The discovery was found on Jan. 20 by Randy Westergren, who posted the process, as well as the internal coding problems, on his personal blog. After hearing the news stories of how Marriott would lock Wi-Fi users out at certain points, which earned the company a $600,000 fine and a warning from the FCC, Westergren wanted to see how well Marriott locked out access to sensitive information. Starting with the company’s internationally-accessible Android app, he went to his upcoming reservations page and noticed that there was a prompt to “fetch” reservation requests without a cookie or prompt for authentication. Going into the coding for the app, Westergren saw that sensitive user information was stored without any real security, meaning that it was easy for a hacker to cancel a reservation without the victim knowing about it (tested out on a consenting friend’s account).
Later that day, Westergren contacted Marriott about the problem through email and Twitter, which was difficult because typing in “security@marriott.com” is an uncommon dead end. After describing the problem to a security official with the company, the problem was taken seriously and was corrected by the next day (Jan. 21). Westergren commended the chain for resolving the problem quickly, and the security breach appears to have been resolved, important considering how fraud prevention has become a hot-button issue with major stores and card issuers as a result of major data breaches in the past few years.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More