Marriott fixes Android app exploit that could expose personal data

Marriott International has fixed an exploit in their Android app, that could expose personal details for customers of the hotel chain, highlighted by a security researcher.

Randy Westergren, a senior software developer with XDA Developers found that the Marriott Android app was checking rewards members' reservations against a Marriott server without any authentication. As Westergren noted, this meant anyone could "query the reservations of any rewards member by simply specifying the Membership ID."

Using a friend's membership ID, Westergren discovered a valid response included reservation details such as the hotel name, the expiry date, reservation number, check in date and last name. This information allowed Westergren to log in to the Marriott website, using just the reservation number and last name. Once in, he could not only cancel the reservation, but also see more personal information including the customer's full name, their address, email address and the last four numbers and expiry date of the credit card used to make the booking.

As Forbes points out, this is more than enough for cybercriminals to be getting along with: "Though only the last four digits of the credit card information were revealed, that would be enough for many identity thieves, who can take the data and try to hack into victims’ other accounts."

The proof of concept hack that Westergren sent Marriott meant that a specific membership ID wouldn't be required, either. As Westergren told Forbes, "You didn’t actually need a rewards number to carry out the attack. The script I wrote actually crawls through all rewards numbers, starting at an arbitrary ID, and stops at the first valid result – a customer with an upcoming reservation. An attacker could have feasibly continued crawling through rewards numbers to fetch all upcoming reservations for all rewards members."

The exploit is now closed. Indeed, once Westergren found a security contact address for the hotel chain, Tripwire reports that the exploit was closed within 24 hours, although Westergren told Forbes that he would "bet the bank" that the weakness had been in the app since its launch in 2011.

ValeStock / Shutterstock.com