Top Travel Sites Have Some First-Class Security Issues to Clean Up

The top 10 travel and hospitality companies have public-facing security and other cloud infrastructure vulnerabilities that expose customers to potential security risks, research has found.

Security vendor Cequence investigated the top 10 sites that people use to book flights, hotels, car rentals, and holiday packages online — including Orbitz, Kayak, Skyscanner, and Travelocity — and found that all of them have serious security flaws that can put site visitors at risk for compromise as well as negatively affect their own businesses and reputations.

The researchers didn't name the most perilous companies for travelers to use, but did note that their online systems contained 91% of the most serious vulnerabilities that were discovered. Moreover, most of these flaws allow for man-in-the-middle (MiTM) attacks in which attackers can intercept and manipulate communciations with users.

Other security holes that Cequence researchers discovered are related to the actual infrastructure of the service provider's website, with common issues related to cloud infrastructure creating insecure scenarios for public users.

Indeed, no matter where the risk stems from, what it boils down to is that people booking holiday or business travel online could unwittingly be compromised in a number of ways, particularly during peak travel times when attackers know travel sites will be busy, noted William Glazier, director of threat research at Cequence. This, in turn, demands that providers and consumers alike be mindful and make appropriate modifications to infrastructure and online behavior, respectively, to keep attackers at bay, he said.

"Our research highlights severe threats, including financial loss, identity theft, and disrupted travel for consumers, and reputational damage and legal issues for businesses," Glazier said, in a press statement.

Existing Security Holes

The flaws that Cequence found in travel organizations' back-end infrastructure were less straightforward than software or hardware vulnerabilities, though those existed as well. They found misconfigurations and other problems plaguing the cloud infrastructure that supports many travel and hospitality websites.

Eight out of the 10 companies had public-facing, non-production or internal application servers in their environments — systems that are typically unmonitored and unmanaged by IT staff. These assets, as many as 300 at one of the companies — allow threat actors system access, according to Cequence.

All of the service providers also showed signs of cloud sprawl, where systems got deployed faster than they could be effectively managed. Cequence found that the top travel and hospitality sites used between five and 21 different hosting providers; Amazon Web Services is the most widely used cloud infrastructure provider, followed by Google and Microsoft.

This sprawl leads to a proliferation of public-facing cloud instances and underscores the complexity of managing cloud environments, according to Cequence. It also creates a situation in which organizations don't even know what technology assets exist in their network, let alone make sure they're secured. Further, this scenario can ensnarl companies in supply-chain attacks that don't originate in their own infrastructure but float downstream from another provider.

Outlook Demands Better Security

While Cequence did not disclose the names of the worst security offenders of the companies analyzed, it did share which sites were among the safest. Those who locked down internal application or non-production servers and had the least amount accessible to public-facing apps were, in this order: Orbitz and Travelocity, Kayak, and Skyscanner.

Meanwhile, these companies also had the fewest number of vulnerabilities in their public-facing applications that might affect clients visiting their sites. In this instance, Skyscanner performed the best, followed by Kayak and Orbitz.

As summer wanes, there are two significant milestones in the near future that demand an examination of security by travel and hospitality companies to ensure their online booking systems are safer for consumers.

One is the arrival of PCI DSS v4.0, a security standard that governs handling of credit card information that goes into effect in April 2025, and has several new requirements for online credit-card safety. Companies must ensure compliance by that time or face fines, penalties, and disruptions to card transactions, along with increased risk of data breaches that could damage their reputations and create trust issues with customers, according to Cequence.

The other is the busy winter-travel season, which typically kicks off in October and invites attackers to launch a flurry of distributed denial-of-service (DDoS) attacks. Indeed, in November 2023 travel sites racked up almost double the number of DDoS attacks over the next-highest month, Cequence noted.