marriot2

Marriott Hotel Reservations Application Had A Significant Security Flaw

January 26, 2015 - Written By David Steele

The Marriott Hotel chain has been under fire recently for trying to block customers from using their own WiFi hotspots in their premises, explaining that customers using their own hotspots could degrade the performance of their own internal and chargeable WiFi hotspots. Having been at the mercy of hotel WiFi hotspots before, I can report that most I’ve used have poor network speeds with just a few people using them and if I’m at a busy conference, I’ll enjoy that little bit of isolation! Anyway, to get back on topic, it appears that the Marriott’s Hotel Reservation application has had a significant security flaw in it, which XDA Developer Randy Westergren reckons has been in from the application’s launch in 2011. The issue is that the Android application didn’t use a token or other authorization code to prevent access to reservations. Randy wrote a proof-of-concept script designed to find reservation numbers; this would trawl up customer numbers, which could then be used to access customer accounts on the Marriott website and this in turn gave out address, phone numbers, reservation details and the last four digits of credit cards. This is the sort of information that’s needed to steal somebody’s identity or change reservations.

There’s good news in that not only did Randy let the Marriott chain know of the security weakness on the 20 January, but the Marriott fixed the issue at the server side by the 21 January. Marriott haven’t produced a statement at the time of writing (or perhaps they did, but their hotel WiFi is too slow for it to have been sent yet!).

Whilst it’s easy to pick on the Marriott for ratting customers’ chains by blocking their own WiFi Hotspots and forcing them to overpay for underspecced WiFi (I will let that go, eventually!) this story highlights something that we should all be aware of: how secure is that application that we use? It’s easy to suppose that a major corporation’s application is safe and secure, but many corporations hire a developer to produce their internal applications and even worse, have built the applications without a clear understanding of what they’re trying to do. In these cases, would users have been safer using a web browser over a secure connection rather than the application? Perhaps so, but it would not have been so easy to access reservations. It’s cases like this where I firmly believe that Google’s Project Zero is A Very Good Idea; I would much rather a company be made aware of security flaws and given the chance to fix them, than risk something like this over four years. Let us know your comments in the usual way, below…