The main issue involved booking confirmation emails, according to Symantec principal threat researcher Candid Wueest. Many of the messages include an active link that directs to a separate website where guests can access their reservation having to log in again. The booking code and the guest email are often in the URL itself, which in and of itself isn't a big deal.
But, like many businesses, hotels share your personal data with third parties, meaning that your booking code and email are visible to them as well. The attacker would only need access to your booking code and email in order to find your address, full name, cell phone number, passport number and other highly sensitive information. Symantec also found that a smaller number of hotels didn't encrypt the links sent in confirmation emails, giving attackers another window of opportunity.
A Symantec spokesperson told Engadget that the company contacted the hotels that had the security flaw and that most, but not all, of the hotels were taking measures to fix it. Symantec would not disclose which hotels were named in the study, but said it looked at a total of 45 different websites, including boutique hotels and major chains with hundreds of locations, covering more than 1,500 hotels.
What can customers do in the meantime to guard their privacy? Symantec advises that people use a VPN to change their hotel reservation when connected to public WiFi. Also, you can check the URL of your confirmation link to see if your booking details are exposed. A URL with the security flaw would look like this: https://booking.the-hotel.tld/retrieve.php?prn=1234567&mail=john_smith@myMail.tld
Wueest told Engadget in an email that he also looked at five travel search engines, and found similar security flaws. "This (...finding) shows it is a general issue in the travel industry and not just a local issue," he wrote.