Millions of People Can Lose Sensitive Data through Travel Apps, Privacysavvy reports

According to a report published by researchers at PrivacySavvy, many travel companies expose users’ data through their booking apps.

In a report published on the 16^th of March by PrivacySavvy, many travel companies expose users’ data through their booking apps. PrivacySavvy is a digital security company on a mission to educate internet users on issues concerning their digital lives’ privacy.

During a 2021 “apps mapping project,” they discovered that travel apps are not as secured as they should for the millions of people who use them.

According to the team, the apps mapping project aims to facilitate the safety of web applications that people use every day.

Popular Travel Apps Expose Users

In the research led by two PrivacySavvy researchers, Huynh Chen and Sarmad Khan, the team tested 20 popular travel apps.

During the test, the researchers aimed at understanding how these companies manage user’s security and privacy risks. Unfortunately, they discovered that these leading apps lacked the basic security measures to protect their users’ data.

Most of the popular travel apps are exposing their users by enabling third-party access to their servers. Since they leave these servers open, users’ data is exposed to anyone interested in gathering such data.

PrivacySavvy fears that nefarious third-parties could hack users’ accounts and do away with sensitive information if these companies fail or ignore what the team called “server-side security vulnerabilities.” 

The Huynh and Sarmad led research team discovered that these travel apps are not upholding their operations’ security standards based on their evaluation. More importantly, PrivacySavvy found that these vulnerabilities were more prominent in the apps’ subdomains.

More Than 100 Million Users Could be Compromised

Based on the PrivacySavvy report, up to 105 million travel app users are susceptible to losing sensitive information if hackers target the apps. The researchers withheld the names of the specific travel apps they tested due to legal issues and possible compromise if hackers accost such information.

However, the team revealed that they picked the apps based on the number of downloads and positive reviews. Also, they disclosed that they concentrated their investigations on mainly booking and ride-sharing apps. But they didn’t evaluate apps belonging to car rentals, individual hotels, and airlines.

Fortunately, they confirmed that not all the apps evaluated had “server-side security vulnerabilities.” And while some of the affected companies have rectified the issues, many are yet to do so.

Consequences of Server-side Security Vulnerabilities

One of the main reasons behind the investigation is to prevent sensitive data exposure. According to PrivacySavvy, acute data exposure is when a company, an entity, or an app exposes users’ data carelessly.

Many people are more familiar with the data breach, but it is different from data exposure. A data breach occurs due to a hacker’s attack aimed at stealing users’ data from a company, app, or entity.

But sensitive data exposure is when users’ data becomes publicly accessible because the owner failed to put safety measures in place to protect the database. Many factors may contribute to private data exposure, such as software flaws, zero encryption, or weak encryption.

In such cases, some of the data that could be exposed includes:

1. Bank account numbers
2. Phone numbers
3. Home addresses
4. Credit card details
5. Healthcare data
6. Dates of birth
7. Session tokens
8. Usernames & Passwords, etc.

The server-side vulnerability in these evaluated travel apps can expose the above-listed information to anyone who exploits it. Since the vulnerabilities are in their subdomains, a wrongdoer can pass through them to pull the .git directory, collect sensitive information, and carry out a sophisticated attack on the database.

How to Avoid Data Exposure

According to the PrivacySavvy researchers, both the companies and the users have some roles in preventing data exposure.

First of all, companies should:

1. Secure both their main and subdomains
2. Protecting files with sensitive information
3. Never storing files on its production servers
4. Using the suitable access rules
5. Shutting down systems without authentication requirements after use

For the users, the research team recommends that they should contact the travel companies they’ve used recently to know if they’re in any way exposing their sensitive information. With that, they can galvanize them into actions to fix any such vulnerabilities.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Travel Apps)

[adrotate banner=”5″]

[adrotate banner=”13″]