11 November 2020
Common Security Vulnerabilities Within Travel Management Companies
In a bylined article in Security Magazine, Roman Denisenko, Security Consultant at DataArt, discusses examples of security vulnerabilities common within travel management companies’ web solutions and shares advice for mitigating these risks.
«Perhaps the threat that can affect business the most is the access controls issue. The exploitation of this vulnerability can give a hacker almost full control over a company's sensitive data. Unfortunately, multi-tenant corporate travel platforms risk missing function-level access controls which leads to a situation where a malicious user without appropriate permissions is able to obtain information about any deal/user/trip/etc. existing in the system. As a possible example of such an attack, a travel manager of one company is able to obtain detailed information about another company’s employees registered within the same TMC, including their passport details, credit cards, etc. So, it is important that users are given access to only their own data and parts of the system that they need to work with, and at a level that’s appropriate to their role.»
«Moreover, the situation is even more dramatic when access control issues are combined with unauthorized access to API documentation. In cases when API documentation on third-party services is not hidden, attackers can use it to connect to these services disguised as developers and try getting access to sensitive information or abuse the system.»
«Still, weak password quality controls are remaining a key factor in accounts hijacking, giving an attacker the opportunity to easily guess the targeted accounts via brute-force attacks.third-party services is not hidden, attackers can use it to connect to these services disguised as developers and try getting access to sensitive information or abuse the system.»
«Vulnerable and insecure protocols are also a big source of problems for business travel applications. They are often affected by multiple cryptographic flaws and caused by weak configurations of the web servers and middleware.»
Original article can be found here.