Hospitality services’ websites may leak your booking details, allowing others to view your personal data or even cancel your reservation, according to Symantec.

The security research company tested multiple websites—including more than 1,500 hotels in 54 countries to scan for privacy issues. They found that two in three, or 67 percent, of these sites are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. The hotels did have a privacy policy, but none of them mentioned this behavior explicitly, Symantec said.

The study comes several months after Marriott International disclosed one of the worst data breaches in history. Symantec said Marriott was not included in the study.

While it’s no secret that advertisers are tracking users’ browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether.

It has been almost a year since the General Data Protection Regulation (GDPR) came into effect in Europe, but many hotels affected by this issue seems to have been very slow to acknowledge, much less address, it.

The sites tested ranged from two-star hotels in the countryside to luxurious five-star resorts on the beach. Locations where chosen randomly, and some hotel sites were part of larger, well-known hotel chains.

Some reservation systems were commendable, as they only revealed a numerical value and the date of the stay and did not divulge any personal information. But the majority leaked personal data, such as:

• Full name
• Email address
• Postal address
  
• Mobile phone number
• Last four digits of credit card, card type, and expiration date
• Passport number

More than half (57 percent) of the sites tested send a confirmation email to customers with a direct access link to their booking. This is provided for the convenience of the customer, allowing them to simply click on the link and go straight to their reservation without having to log in.

Since the email requires a static link, HTTP POST web requests are not really an option, meaning the booking reference code and the email are passed as arguments in the URL itself. On its own, this would not be an issue. However, many sites directly load additional content on the same website such as advertisements. This means that direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request. Symantec's tests have shown that an average of 176 requests are generated per booking, although not all these requests contain the booking details. This number indicates that the booking data could be shared quite widely.

The same data is also in the referrer field, which will be sent along by the browser in most cases. This results in the reference code being shared with more than 30 different service providers, including well-known social networks, search engines, and advertisement and analytics services. This information could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether.

There are other scenarios in which the booking data may also be leaked. Some sites pass on the information during the booking process, while others leak it when the customer manually logs into the website. Others generate an access token, which is then passed in the URL instead of the credentials, which is not good practice either.

In most cases, Symantec found that the booking data remains visible, even if the reservation has been canceled, granting an attacker a large window of opportunity to steal personal information.

Hotel comparison websites and booking engines appear to be slightly more secure. From the five services that Symantec tested, two leaked the credentials and one sent the login link without encryption.

The researchers also found more than one-quarter (29 percent) of the hotel sites did not encrypt the initial link sent in the email that contained the ID. A potential attacker could therefore intercept the credentials of the customer who clicks on the HTTP link in the email, for example, to view or modify his or her booking. This may occur at public hotspots such as the airport or the hotel, unless the user protects the connection with VPN software.

In addition, multiple websites allow brute forcing of the booking reference as well as enumeration attacks. In many cases, the booking reference code is simply incremented from one booking to the next. This means that if the attacker knows the email or the last name of the customer, they can guess that customer’s booking reference number and log in.