The issues were identified by API security firm Salt Security and reported to Booking.com in early December 2022. Patches were rolled out in the next few weeks and Salt Security disclosed technical details on Thursday.
The vulnerabilities found by Salt Security researchers centered around the way Booking.com implemented OAuth, the authorization standard used by many online services to allow customers to sign in with their Google or Facebook accounts.
In the case of Booking.com, the flaws were related to the OAuth integration with Facebook. An attacker could have exploited these weaknesses to take complete control of a user’s account, obtain their personal information from their Booking account, and perform actions on the victim’s behalf, such as canceling or booking reservations and ordering transportation services.