Marriott Hotel Reservations and Payment Information Compromised by Web Service Vulnerability

Marriott has been been in the news lately regarding its stance on blocking customer WiFi communications in their conference centers. As a customer of Marriott, I questioned how well they “blocked” access to my sensitive information in their system. Being that the security of web services is notoriously neglected, I figured their Marriott International Android app would be a good place to start.

After starting up the app and logging in to my Marriott Rewards account, I was brought to a screen that showed my upcoming reservations (I didn’t have any).

The request to fetch the reservations was very interesting. Note the lack of any Cookie or Authorization header.

Marriott was fetching upcoming reservations with a completely unauthenticated request to their web service, meaning one could query the reservations of any rewards member by simply specifying the Membership ID (rewards number). It appeared concerning enough, but I wondered how serious the impact was to customers. With permission, exploring the upcoming reservations of a friend revealed what a valid response looked like:

There’s a lot of sensitive information there. What’s worse is that in order to completely manage a reservation on Marriott’s website, one only needs the reservation number along with the last name of the customer. As seen above, both of these fields are returned in the response.

Logging in to manage the reservation, one could cancel the entire reservation.

The customer’s contact and payment information was available on another screen, though only the last four digits of the credit card number was shown.

Obviously, this was a very serious vulnerability. Below is a proof-of-concept exploit I wrote in order to demonstrate the issue to Marriott’s technical team.

It was difficult to get in contact with the right person at Marriott. I attempted the best practice email format for security issues ([email protected]), but the mailbox didn’t exist. After over a month of trying Twitter and some LinkedIn contacts, I finally got in touch with the someone in information security. I was extremely impressed with Marriott’s response; their team immediately took the report seriously and ended up resolving the vulnerability in about one day. See the timeline below.

Disclosure Timeline

2015-01-20: Point of contact made
2015-01-20: Report of issue w/ POC
2015-01-20: Confirmed receipt and investigation begins
2015-01-21: Follow-up email received, fix pushed
2015-01-21: Resolution confirmed

Marriott communicated their appreciation to me for notifying them of the vulnerability.

Share this: Facebooktwittergoogle_pluslinkedin
  • Awesome !! Good work People like you are needed to get such serious flaws resolved 🙂 keep it up 😀

  • Mikeysoft1

    Nice Catch Randy! Has Marriott ever heard of a WAF!! Just saying.

    • justinsteven

      Pray tell, how do you expect a WAF would have prevented exploitation of this particular bug?

  • Marriott International

    Marriott International has a long standing commitment and protocols in place to protect the privacy of customers and security of the personal information entrusted to us. We want to reassure our customers the matter has been resolved and we remain vigilant on the issue of cyber security protecting our business and our customers. We have looked into this matter and have not found any evidence of hacking that resulted from this software issue. We are grateful Mr. Westergren alerted us to this matter so that we could address it as soon as possible.

  • ohrllym8

    speaking of reporting information disclosures, thats some pretty bad opsec leaking info about your outdated verizon samsung galaxy s4 buddy, hopefully marriott pays you enough to buy a newer phone