Top Travel Sites Have Some First-Class Security Issues to Clean Up

Public-facing vulnerabilities, cloud sprawl, access to back-end servers are just a few of the challenges travel and hospitality companies must address.

The top 10 travel and hospitality companies have public-facing security and other
cloud infrastructure vulnerabilities
that expose customers to potential security risks, research has found.
Security vendor Cequence investigated the top 10 sites that people use to book flights, hotels, car rentals, and holiday packages online — including Orbitz, Kayak, Skyscanner, and Travelocity — and found that all of them have serious security flaws that can put site visitors at risk for compromise as well as negatively affect their own businesses and reputations.
The researchers didnt name the most perilous companies for travelers to use, but did note that their online systems contained 91% of the most serious vulnerabilities that were discovered. Moreover, most of these flaws allow for man-in-the-middle (MiTM) attacks in which attackers can intercept and manipulate communciations with users.
Other security holes that Cequence researchers discovered are related to the actual infrastructure of the service providers website, with common issues related to cloud infrastructure creating insecure scenarios for public users.
Indeed, no matter where the risk stems from, what it boils down to is that people booking holiday or business travel online could unwittingly be compromised in a number of ways, particularly during peak travel times when attackers know travel sites will be busy, noted William Glazier, director of threat research at Cequence. This, in turn, demands that providers and consumers alike be mindful and make appropriate modifications to infrastructure and online behavior, respectively, to keep attackers at bay, he said.
Our research highlights severe threats, including financial loss, identity theft, and disrupted travel for consumers, and reputational damage and legal issues for businesses, Glazier said, in
a press statement
.
The flaws that Cequence found in travel organizations back-end infrastructure were less straightforward than software or hardware
vulnerabilities
, though those existed as well. They found
misconfigurations
and other problems plaguing the cloud infrastructure that supports many travel and hospitality websites.
Eight out of the 10 companies had public-facing, non-production or internal application servers in their environments — systems that are typically unmonitored and unmanaged by IT staff. These assets, as many as 300 at one of the companies — allow threat actors system access, according to Cequence.
All of the service providers also showed signs of cloud sprawl, where systems got deployed faster than they could be effectively managed. Cequence found that the top travel and hospitality sites used between five and 21 different hosting providers; Amazon Web Services is the most widely used cloud infrastructure provider, followed by Google and Microsoft.
This sprawl leads to a proliferation of public-facing cloud instances and underscores the complexity of managing cloud environments, according to Cequence. It also creates a situation in which organizations dont even know what technology assets exist in their network, let alone make sure theyre secured. Further, this scenario can ensnarl companies in supply-chain attacks that dont originate in their own infrastructure but float downstream from another provider.
While Cequence did not disclose the names of the worst security offenders of the companies analyzed, it did share which sites were among the safest. Those who locked down internal application or non-production servers and had the least amount accessible to public-facing apps were, in this order: Orbitz and Travelocity, Kayak, and Skyscanner.
Meanwhile, these companies also had the fewest number of vulnerabilities in their public-facing applications that might affect clients visiting their sites. In this instance, Skyscanner performed the best, followed by Kayak and Orbitz.
As summer wanes, there are two significant milestones in the near future that demand an examination of security by travel and hospitality companies to ensure their online booking systems are safer for consumers.
One is the arrival of PCI DSS v4.0, a security standard that governs handling of credit card information that goes into effect in April 2025, and has several new requirements for online credit-card safety. Companies must ensure compliance by that time or face fines, penalties, and disruptions
to card transactions
, along with increased risk of data breaches that could damage their reputations and create trust issues with customers, according to Cequence.
The other is the busy winter-travel season, which typically kicks off in October and invites attackers to launch a flurry of distributed denial-of-service (DDoS) attacks. Indeed, in November 2023 travel sites racked up almost double the number of DDoS attacks over the next-highest month, Cequence noted.

Last News
▸ Enhancing Business Security Through Threat Intelligence ◂ Discovered: 26/12/2024 Category: security	▸ Fidelis expands in malware detection & analysis. ◂ Discovered: 26/12/2024 Category: security	▸ SMBs can enhance security via Cloud in 4 ways. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Top Travel Sites Have Some First-Class Security Issues to Clean Up