All it takes is a typo when composing an email to disclose the details of one of our reservations on Booking.com to a complete stranger: the problem recently reported by a user of the famous site’s services brings attention to an obvious security problem which, moreover, seems difficult to resolve, let’s see why.
Given its important role and widespread diffusion throughout the world, it is not at all surprising that Booking.com, one of the main online accommodation booking portals, has often been the subject of numerous complaints over the years. cyber attacks. Last month, just to cite one of the most recent examples, his name was exploited to carry out a phishing scam with the false hope of obtaining exclusive and advantageous packages. Some time ago, to be precise in May, many had reported the arrival of messages on WhatsApp, apparently coming from Booking.com, in which users were asked to like accommodations and hotels in exchange for a cash reward .
Therefore, prudence, especially when dealing with very large and busy sites, is never too much, but what has occurred in recent days goes beyond the events that we are more used to analyzing when talking about cyberattacks. In this case, the one who hits the headlines is a bugs disclosed by Ars Technica thanks to a user’s report: what is most surprising is that a simple typo is enough to trigger it.
The protagonist of the story said he received an unexpected message in his email in which a trip he had actually never booked was confirmed. It is clear that the user’s first thought was that of having ended up at the center of a scam, but, after having carefully avoided clicking on any link fearing a phishing attempt, he realized that in reality that reservation never made, it had instead been registered on his Booking.com account.
The next, absolutely correct step was to contact the portal’s support to report the problem, however no one ever responded to his messages. The user then decided to tell everything to Ars Technicain the hope of getting answers, and only after a reminder from the technological information site was it discovered what had really happened. There was no site malfunction or cyber attack: the problem was triggered by a simple one typo of another user who, while making a reservation, accidentally entered the email address of the person who had received the confirmation. It seems like a small bug, but in reality it is a serious problem, since there is no filter or further verification: everything ends up directly on the email entered.
A typing error, therefore, can expose all the data entered to a complete stranger and, in addition to this danger, the user also risks losing the details of their desired booking. What is astounding is that Booking.com, having understood the problem, did not remove the trip from the account of the user who had received it by mistake, on the grounds that such a decision would have resulted in a violation of the privacy of the customer who had actually made the reservation by entering the email incorrectly. So, apparently, in such cases there is really no way to intervene by contacting the managers of the portal.
The advice, as strange as it may seem nowadays, given the additional checks and checks that are often carried out even for the smallest transactions, is to pay great attention when typing the email to confirm the booking.