Top Travel Sites Have Some First-Class Security Issues to Clean Up

Public-facing vulnerabilities, cloud sprawl, access to back-end servers are just a few of the challenges travel and hospitality companies must address.

Woman in blue hat, blue jeans and a sweatshirt using a laptop and mobile device sitting on a beach against an orange roller bag with stickers on it
Source: Anastasia Nelen via Unsplash

The top 10 travel and hospitality companies have public-facing security and other cloud infrastructure vulnerabilities that expose customers to potential security risks, research has found.

Security vendor Cequence investigated the top 10 sites that people use to book flights, hotels, car rentals, and holiday packages online — including Orbitz, Kayak, Skyscanner, and Travelocity — and found that all of them have serious security flaws that can put site visitors at risk for compromise as well as negatively affect their own businesses and reputations.

The researchers didn't name the most perilous companies for travelers to use, but did note that their online systems contained 91% of the most serious vulnerabilities that were discovered. Moreover, most of these flaws allow for man-in-the-middle (MiTM) attacks in which attackers can intercept and manipulate communciations with users.

Other security holes that Cequence researchers discovered are related to the actual infrastructure of the service provider's website, with common issues related to cloud infrastructure creating insecure scenarios for public users.

Indeed, no matter where the risk stems from, what it boils down to is that people booking holiday or business travel online could unwittingly be compromised in a number of ways, particularly during peak travel times when attackers know travel sites will be busy, noted William Glazier, director of threat research at Cequence. This, in turn, demands that providers and consumers alike be mindful and make appropriate modifications to infrastructure and online behavior, respectively, to keep attackers at bay, he said.

"Our research highlights severe threats, including financial loss, identity theft, and disrupted travel for consumers, and reputational damage and legal issues for businesses," Glazier said, in a press statement.

Existing Security Holes

The flaws that Cequence found in travel organizations' back-end infrastructure were less straightforward than software or hardware vulnerabilities, though those existed as well. They found misconfigurations and other problems plaguing the cloud infrastructure that supports many travel and hospitality websites.

Eight out of the 10 companies had public-facing, non-production or internal application servers in their environments — systems that are typically unmonitored and unmanaged by IT staff. These assets, as many as 300 at one of the companies — allow threat actors system access, according to Cequence.

All of the service providers also showed signs of cloud sprawl, where systems got deployed faster than they could be effectively managed. Cequence found that the top travel and hospitality sites used between five and 21 different hosting providers; Amazon Web Services is the most widely used cloud infrastructure provider, followed by Google and Microsoft.

This sprawl leads to a proliferation of public-facing cloud instances and underscores the complexity of managing cloud environments, according to Cequence. It also creates a situation in which organizations don't even know what technology assets exist in their network, let alone make sure they're secured. Further, this scenario can ensnarl companies in supply-chain attacks that don't originate in their own infrastructure but float downstream from another provider.

Outlook Demands Better Security

While Cequence did not disclose the names of the worst security offenders of the companies analyzed, it did share which sites were among the safest. Those who locked down internal application or non-production servers and had the least amount accessible to public-facing apps were, in this order: Orbitz and Travelocity, Kayak, and Skyscanner.

Meanwhile, these companies also had the fewest number of vulnerabilities in their public-facing applications that might affect clients visiting their sites. In this instance, Skyscanner performed the best, followed by Kayak and Orbitz.

As summer wanes, there are two significant milestones in the near future that demand an examination of security by travel and hospitality companies to ensure their online booking systems are safer for consumers.

One is the arrival of PCI DSS v4.0, a security standard that governs handling of credit card information that goes into effect in April 2025, and has several new requirements for online credit-card safety. Companies must ensure compliance by that time or face fines, penalties, and disruptions to card transactions, along with increased risk of data breaches that could damage their reputations and create trust issues with customers, according to Cequence.

The other is the busy winter-travel season, which typically kicks off in October and invites attackers to launch a flurry of distributed denial-of-service (DDoS) attacks. Indeed, in November 2023 travel sites racked up almost double the number of DDoS attacks over the next-highest month, Cequence noted.

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights