J
Jeff Causey
Guest
Marriott has recently been in the tech news lately due to plans to block customers’ personal Wi-Fi hotspots when visiting one of the company’s properties. That move earned them a lot of negative press and pressure from the likes of the FCC and eventually caused them to reverse their course. Now it has been discovered that Marriott’s app for Android may have exposed customer data, including credit card information, to possible attack and pilfering ever since its launch in 2011. The flaw was discovered by Randy Westergren, a senior software developer with XDA-Developers, who also found a major hole in Verizon’s mobile app.
According to Westergren, the flaw involved the system the app would use to check for upcoming reservations. This was being completed without any authentication. Without that additional protection, Westergren could craft a request and switch in any membership ID number. The Marriott servers would then return the reservation information for that customer, including name, reservation number and some details about the reservation. That data was sufficient to then login to the Marriott web site where an attacker could obtain even more detailed information like addresses, contact information and the last four digits of credit cards.
Even worse, Westergren figured out that Marriott would not detect and stop scripts that were feeding potential IDs against the server, so an attacker could just start with any arbitrary number and collect the data from positive hits.
According to Westergren, he reported his findings to Marriott’s security team and the following day the vulnerability had been patched. It is not clear whether the vulnerability existed on other platforms. Marriott launched the app on Android, iOS and Blackberry in 2011. Marriott has not issued a statement regarding the vulnerability.
source: Forbes
Come comment on this article: Flaw in Marriott app puts company back in the news and not in a good way
Visit TalkAndroid for Android news, Android guides, and much more!
News via TalkAndroid