Customer payment information and other data was made vulnerable by a flaw in the Marriott Web service used by the Android app as well as the Web site, a security researcher found.
The vulnerability is the result of Marriott’s system failing to use any kind of authentication on requests, meaning that an attacker who knew a victim’s Marriott Rewards number could query the back end and retrieve sensitive information. That data could then be used to access some limited payment information and personal data of the victim on Marriott’s site. Researcher Randy Westergren discovered the vulnerability and reported it to Marriott’s security team, which fixed the issue within a day, he said.
“Marriott was fetching upcoming reservations with a completely unauthenticated request to their web service, meaning one could query the reservations of any rewards member by simply specifying the Membership ID (rewards number). It appeared concerning enough, but I wondered how serious the impact was to customers. With permission, exploring the upcoming reservations of a friend revealed what a valid response looked like,” Westergren wrote in a post describing the vulnerability.
The response from Marriott’s server contained the name of the hotel for the upcoming reservation, the check-in date, the victim’s last name and other data.
“There’s a lot of sensitive information there. What’s worse is that in order to completely manage a reservation on Marriott’s website, one only needs the reservation number along with the last name of the customer. As seen above, both of these fields are returned in the response. Logging in to manage the reservation, one could cancel the entire reservation,” Westergren said.
On a separate screen on the Marriott site, an attacker could access the victim’s complete contact information, including physical address and email address and partial payment card data. Westergren said he had a difficult time getting in touch with the security team at Marriott, but once he did the team moved quickly to fix the problem.
“After over a month of trying Twitter and some LinkedIn contacts, I finally got in touch with the someone in information security. I was extremely impressed with Marriott’s response; their team immediately took the report seriously and ended up resolving the vulnerability in about one day,” Westergren said.
It’s been an interesting month for Marriott. Two weeks ago the company said in a short statement that it would stop blocking customers’ personal WiFi hotspots in some parts of its hotels. The company had angered customers and run afoul of regulators at the FCC by sometimes sending deauthentication packets to guests’ devices in order to prevent them from using their own WiFi hotspots rather than paying to use the hotel’s network.
“In some cases, sent de-authentication packets to the targeted access points, which would dissociate consumers’ devices from their own Wi-Fi hotspot access points and, thus, disrupt consumers’ current Wi-Fi transmissions and prevent future transmissions. At the same time that these employees engaged in these practices, Marriott charged conference exhibitors and other attendees anywhere from $250 to $1,000 per device to use the Gaylord Wi-Fi service in the conference facilities,” the FCC said in a statement.