Booking.com ignores twofactor, lets everyone email-login without a password
I like thousands of others have been receiving daily booking.com confirmation e-mails lately.
This is probably because of a leak they've hid instead of going public with, but that's not the worst part.
I looked up the issue and apparently thousands are getting these e-mails.
But hey, you still need to go through a link from your e-mail to set your new password right?
No!
Apparently their login mechanism lets everyone login as you as long as you click a huge "I verify this is me" button even if they are on the other side of earth, so one fumble with your phone and you grant some random person access to your account, and if these people send you 10 requests a day, yeah you get the point.
But i gets worse.
You can't even login with a password anymore, every time you press login you get the same login e-mail scammers are sending with no ability to discern who sent what.
But wait it gets much worse.
At first i almost deleted my account, but thought hey i'll just setup twofactor and assess the situation.
After enabling twofactor, and seeing a big green "Twofactor verified" badge i tried logging out again then clicked on "sign in" - i wrote my e-mail and to my horror the page displayed "We've sent you an email to let you login", i went to gmail - surely this e-mail would take me to a site that required twofactor authentication?
No twofactor! Not even a password or a querystring. Just the same e-mail scammers are sending 5 times a day and access to all of my information with absolutely no trace of any twofactor.
I urge everyone to either delete their booking.com accounts, e-mail them about this issue or contact some appropriate authority.
52 comments
[ 6.3 ms ] story [ 120 ms ] threadhttps://www.reddit.com/r/techsupport/comments/18zewqa/keep_g...
https://www.reddit.com/r/Scams/comments/15oq4pn/bookingcom_v...
https://www.reddit.com/r/Scams/comments/1bblo8a/verification...
There's also posts on twitter and here on hackernews.
But at its core numbers don't matter, the fact that they ignore twofactor and let everyone login by clicking on the request e-mail is a complete failure of security.
Non tech savvy people will absolutely get compromised by this at some point given enough requests, and they don't post to Reddit about it.
If it works, you should definitely solve the problem for yourself even before booking.com eventually suffers enough to address the problem more generally.
I suggest changing your email with booking.com to something the attackers wouldn't know.
Using the Gmail option of extending your normal username with '+' something – eg use ACCOUNT+unguessable-string@gmail.com in place of ACCOUNT@gmail.com – might be enough. With luck (if the site hasn't been too dumb), then when they hit the site with your old/plain address, no email will be generated.
They just remove everything after the + sign then send you an email to your old address saying they updated your info. Then you can login again with the old address but now twofactor is apparently turned on. Very weird.
This was 20 days ago.
Having worked with auth myself in my programming career i have no idea what is going on over there when people have been posting about this issue for a year now apparently?
But even in programming, you can't tell me there arent well earned reputations out there.
Then you know, the people who are allowed to bid are only qualified bidders - unless you absolutely want to guarantee legal shitshows and disasters.
And the lowest bidder of them makes it up in change orders or the like in most cases. Or is legitimately the biggest outfit in the area and can make it up in economies of scale.
And even then, PR disasters can and do still happen. And do happen all the time. Even at the national level, but especially at the local level.
I'm not just lying. Decades of experience in this. Yes construction basically lowest bidder outside of some private construction where relationships count for a bit, but even then the subs with relationships will get squeezed to match the lowest bidder.
2) no negative outstanding complaints on said license
3) no negative history with the owner, GC, or prime contractors.
4) history of successfully completing equivalent work without screwing over everyone else involved.
5) on union jobs, the right kinds of union support.
The ‘basically’ in your statement is doing a lot of work.
No GC with a chance of staying solvent accepts random low bids from contractors they don’t know, have history with, or that don’t have history with someone they know doing work successfully of the same type.
Rework is already enough of a problem without having to completely redo plumbing, electrical, framing, carpentry, what have you because a sub screwed it up - and disappeared or is now insolvent.
Going after someone’s license takes forever, same with suing someone over damages, and it’s not like a bad sub disappearing in a drunken bender (or worse) after a screw up never happens in certain corners of the industry.
Will folks get squeezed a bit? Sure, it’s part of the game. They also fluff a bit, also part of the game. Somehow, the folks who know how to play it end up solvent and with new trucks at the end eh?
But avoiding fly by night subs is an even bigger part of staying alive. Public works are a classic shitshow on this front though in some areas.
As an example, I see bidding stats in my PM tool. On average my customers have a win rate of about 15%. One of the bigger companies doing $1.5 million a month of work has a 10% win rate. They are very good at what they do.. you can't half as your way into 15+ million of work a year, year after year. But they still win only about 10%. Because even though they are very qualified and liked, jobs go to the most competitive bid.
> Apparently their login mechanism lets everyone login as you as long as you click a huge "I verify this is me" button even if they are on the other side of earth, so one fumble with your phone and you grant some random person access to your account
Can I enter an email address on their site and click "I verify this is me" to steal an account? What does the "fumble with your phone" refer to?
You then get an e-mail with a huge button and if you click it they are granted access to your account without a password, even if you've enabled twofactor.
They do this many times a day so one click wrong in your e-mail app and you've granted someone access to your account.
The best fix I've seen for that one is to go straight ahead if the cookies say it's the same browser, otherwise require a six digit code that was sent in the email.
There does not seem to be a way to actually delete your account.
Note: IANAL
From there you can write over personal data and maybe even change to a lower importance email address.
The only solution I found was to literally change my email on Booking.com, the emails have stopped now.
I think they are using it different ways. Booking.com uses it as a primary authentication mechanism: enter your e-mail address, they send a link to that e-mail address, and clicking the link effectively authenticates you and you are logged in.
When I click on a link to a NextDoor post, sometimes it redirects me to a page with a button. Click the button, they send you an e-mail with a link, and clicking the link redirects me to the NextDoor post. What isn't clear in this case is if the e-mail link is a primary form of authentication, or secondary. For example, maybe my auth session expired, so they know I logged in at some point in the past, and the link in the e-mail is used to refresh my session.
I have to admit, I like the ease of using e-mail access as a form of authentication. I'm not sure how I feel about it being the primary form of authentication.
Insanity.
It is baffling that a major travel website is allowed to operate like this.
It's been 20 minutes and the email still has not arrived.
I still get the phishing "login confirmation" emails though.
[People seem to be downvoting me but no one seems to be replying with what the reasonable behavior should be. Maybe my understanding of 2FA through email verification is lacking?]
2FA is supposed to protect you even if you accidentally click on the magic sign-in link, but Booking.com is (apparently) not enforcing 2FA.
This isn't that far outside the norm, and assuming I understand correctly that this verification button is in the email itself, I assume it is itself a verification link.
Still, taken together with everything (especially an undisclosed leak) it's enough that I've deleted my payment methods from Booking.com along with some additional personal info and probably won't be re-storing them short of the kind of retrospective reassurance that most management apparently finds beyond their capability. Without a payment method to abuse or even further data to harvest, it's hard to imagine an attacker having incentive to engage the account.
This is pretty far out of my norm. Where I'm from email auth is referred to as OTP, as we all always assume an OTP is sent to the users email.
The only time I've seen links for confirming in email are when signing up or resetting a password (or changing/verifying emails in an otherwise already authenticated context). Not for logging directly into an authenticated context.
Disclaimer: I'm the type of dev who has routinely argued against magic links. The convenience they provide is hardly worth all the considerations that have to be made.
I've only ever seen magic links recommended by sales people. Presumably because it makes their demos go smoother when people want to know how difficult it is to access the product.
I wonder if Booking is mostly third-party contractors or if they have employees. If the latter, then this is likely known inside, but executives don't care. If the former, it's possible executives don't know or also don't care. In my career, I've seen both scenarios. Given Priceline's size (Bookings' parent), it could be both. Executives want frictionless processes for customers; security is rarely important. The competitor to Priceline/Booking I worked at about a decade ago emailed forgotten passwords to customers, despite getting training at work where the first rule was don't remember passwords, and we couldn't get leadership to get rid of that because it was "convenient."
Please, if you are implementing an email confirmation process, include a way to say "this is not me". Someone has been periodically trying to activate their account in some website, and the no way for me to make it stop.