Software developer Randy Westergren recently uncovered a vulnerability in Marriott’s Android app that allowed unauthenticated access to customer reservations simply by specifying their membership ID.
Westergren found that “Marriott was fetching upcoming reservations with a completely unauthenticated request to their web service, meaning one could query the reservations of any rewards member by simply specifying the Membership ID (rewards number). It appeared concerning enough, but I wondered how serious the impact was to customers.”
The answer will alarm anyone who values the security of their personal data. Available information included customers’ full names, postal and email addresses, and credit card information – though only the last four numbers of the credit card.
Westergren told Forbes that attackers “didn’t actually need a rewards number to carry out the attack. [A] script I wrote actually crawls through all rewards numbers, starting at an arbitrary ID, and stops at the first valid result – a customer with an upcoming reservation. An attacker could have feasibly continued crawling through rewards numbers to fetch all upcoming reservations for all rewards members.”
Westergren wrote a “proof-of-concept exploit” to demonstrate the vulnerability to Marriott, but found that he couldn’t get in touch with their security team. Even the email address firstname.lastname@example.org didn’t exist. After more than a month’s trying, Westergren finally managed to get in touch with Marriott’s security team about the issue, and the vulnerability was swiftly resolved.