Hacker News new | past | comments | ask | show | jobs | submit login
Booking.com ignores twofactor, lets everyone email-login without a password
90 points by MyFirstSass 5 months ago | hide | past | favorite | 51 comments
Okay so this is crazy.

I like thousands of others have been receiving daily booking.com confirmation e-mails lately.

This is probably because of a leak they've hid instead of going public with, but that's not the worst part.

I looked up the issue and apparently thousands are getting these e-mails.

But hey, you still need to go through a link from your e-mail to set your new password right?

No!

Apparently their login mechanism lets everyone login as you as long as you click a huge "I verify this is me" button even if they are on the other side of earth, so one fumble with your phone and you grant some random person access to your account, and if these people send you 10 requests a day, yeah you get the point.

But i gets worse.

You can't even login with a password anymore, every time you press login you get the same login e-mail scammers are sending with no ability to discern who sent what.

But wait it gets much worse.

At first i almost deleted my account, but thought hey i'll just setup twofactor and assess the situation.

After enabling twofactor, and seeing a big green "Twofactor verified" badge i tried logging out again then clicked on "sign in" - i wrote my e-mail and to my horror the page displayed "We've sent you an email to let you login", i went to gmail - surely this e-mail would take me to a site that required twofactor authentication?

No twofactor! Not even a password or a querystring. Just the same e-mail scammers are sending 5 times a day and access to all of my information with absolutely no trace of any twofactor.

I urge everyone to either delete their booking.com accounts, e-mail them about this issue or contact some appropriate authority.




I tried to login to booking.com, but it claimed that I hadn't registered yet. So I registered again, with the same email. It didn't verify my email, and after login out and in again, with the new password, all my old bookings were still available. So yeah... I was effectively able to change the password without any form of verification.

This was 20 days ago.


Amazing.

Having worked with auth myself in my programming career i have no idea what is going on over there when people have been posting about this issue for a year now apparently?


It's obvious what's going on. The entire thing has been outsourced to a certain country and this is basically standard for work out of that country.


Shitty work happens in any country when you look for the lowest bidder.


The entire construction industry is basically based around hiring the lowest bidder, especially in public works, and other than giant projects where somehow corruption allows them to collect more than their bid, these jobs basically get performed to a decent standard by the lowest bidder.

But even in programming, you can't tell me there arent well earned reputations out there.


Uh, have you worked in construction? Because that is definitely not how it happens.


Yes I have, and my family has for their entire life, and I created an entire saas for the construction industry that has enough paying customers to support myself easily.


Uh huh.

Then you know, the people who are allowed to bid are only qualified bidders - unless you absolutely want to guarantee legal shitshows and disasters.

And the lowest bidder of them makes it up in change orders or the like in most cases. Or is legitimately the biggest outfit in the area and can make it up in economies of scale.

And even then, PR disasters can and do still happen. And do happen all the time. Even at the national level, but especially at the local level.


Yes, 'qualified bidders'. And what are the qualifications to bid to do the cabinets on a 6 million dollar public works/commercial building, which means the building might have $300,000+ of cabinets at most? Basically zero qualifications besides having a license. And with public works, yes the GCs will basically go with the lowest bidder. And while change orders do happen, it's the GCs job to get them to stick to their bid or otherwise they're just burning their own money.

I'm not just lying. Decades of experience in this. Yes construction basically lowest bidder outside of some private construction where relationships count for a bit, but even then the subs with relationships will get squeezed to match the lowest bidder.


1) a bond (not that it necessarily means THAT much, but it’s not trivial)

2) no negative outstanding complaints on said license

3) no negative history with the owner, GC, or prime contractors.

4) history of successfully completing equivalent work without screwing over everyone else involved.

5) on union jobs, the right kinds of union support.

The ‘basically’ in your statement is doing a lot of work.

No GC with a chance of staying solvent accepts random low bids from contractors they don’t know, have history with, or that don’t have history with someone they know doing work successfully of the same type.

Rework is already enough of a problem without having to completely redo plumbing, electrical, framing, carpentry, what have you because a sub screwed it up - and disappeared or is now insolvent.

Going after someone’s license takes forever, same with suing someone over damages, and it’s not like a bad sub disappearing in a drunken bender (or worse) after a screw up never happens in certain corners of the industry.

Will folks get squeezed a bit? Sure, it’s part of the game. They also fluff a bit, also part of the game. Somehow, the folks who know how to play it end up solvent and with new trucks at the end eh?

But avoiding fly by night subs is an even bigger part of staying alive. Public works are a classic shitshow on this front though in some areas.


You basically listed pretty trivial things, that like I said, let the construction industry operate on lowest bidder model in general.

As an example, I see bidding stats in my PM tool. On average my customers have a win rate of about 15%. One of the bigger companies doing $1.5 million a month of work has a 10% win rate. They are very good at what they do.. you can't half as your way into 15+ million of work a year, year after year. But they still win only about 10%. Because even though they are very qualified and liked, jobs go to the most competitive bid.


Booking.com has one weird "feature" where they allow you to checkout without signing-in, and using the email of any other Booking.com user without verification in the checkout form. I had dozens and dozens of orders "placed on my behalf" this way; they were all no-shows and their CCs were declined, and they ended up disabling my account for fraud suspicion.


I had the same problem with some unknown party making a booking on my behalf. After digging deeper, I also discovered that anyone can place any booking with your account as long as no immediate payment is required. This spooked me, and I cancelled everything and deleted my account after more than a decade of being their customer.


VRBO allows the same thing. I typo’d an email during a booking, and they had no way of fixing it (talk to property owner). I ended up having to register a new domain with that email address so I could manage my reservation.

Insanity.


:D thats some out of the box thinking


This explains a lot, as this happened to me recently too. First, I thought that someone had managed to hack into my account. Booking support was not very helpful. In the end, I just changed my password and canceled the booking, hoping for the best.

It is baffling that a major travel website is allowed to operate like this.


I don't understand this bit:

> Apparently their login mechanism lets everyone login as you as long as you click a huge "I verify this is me" button even if they are on the other side of earth, so one fumble with your phone and you grant some random person access to your account

Can I enter an email address on their site and click "I verify this is me" to steal an account? What does the "fumble with your phone" refer to?


Someone goes to booking.com, puts your e-mail address in the sign-in field.

You then get an e-mail with a huge button and if you click it they are granted access to your account without a password, even if you've enabled twofactor.

They do this many times a day so one click wrong in your e-mail app and you've granted someone access to your account.


Oh I get it! So this is the pattern where just clicking the link on ANY device is treated as email confirmation, rather than ensuring it's the same browser that started the request (difficult when people may be checking their email on their phone while signing in on their laptop).

The best fix I've seen for that one is to go straight ahead if the cookies say it's the same browser, otherwise require a six digit code that was sent in the email.


Email login: so a message is sent to the email address and one careless action grants the other party the ability to login/continue.


Hah, I thought I was an isolated case getting dozens of login emails per day.

The only solution I found was to literally change my email on Booking.com, the emails have stopped now.


I've noticed more sites using the ability to access an e-mail account as an authentication mechanism.

I think they are using it different ways. Booking.com uses it as a primary authentication mechanism: enter your e-mail address, they send a link to that e-mail address, and clicking the link effectively authenticates you and you are logged in.

When I click on a link to a NextDoor post, sometimes it redirects me to a page with a button. Click the button, they send you an e-mail with a link, and clicking the link redirects me to the NextDoor post. What isn't clear in this case is if the e-mail link is a primary form of authentication, or secondary. For example, maybe my auth session expired, so they know I logged in at some point in the past, and the link in the e-mail is used to refresh my session.

I have to admit, I like the ease of using e-mail access as a form of authentication. I'm not sure how I feel about it being the primary form of authentication.


> "I verify this is me" button even if they are on the other side of earth, so one fumble with your phone and you grant some random person access to your account, and if these people send you 10 messages a day

This isn't that far outside the norm, and assuming I understand correctly that this verification button is in the email itself, I assume it is itself a verification link.

Still, taken together with everything (especially an undisclosed leak) it's enough that I've deleted my payment methods from Booking.com along with some additional personal info and probably won't be re-storing them short of the kind of retrospective reassurance that most management apparently finds beyond their capability. Without a payment method to abuse or even further data to harvest, it's hard to imagine an attacker having incentive to engage the account.


> This isn't that far outside the norm

This is pretty far out of my norm. Where I'm from email auth is referred to as OTP, as we all always assume an OTP is sent to the users email.

The only time I've seen links for confirming in email are when signing up or resetting a password (or changing/verifying emails in an otherwise already authenticated context). Not for logging directly into an authenticated context.

Disclaimer: I'm the type of dev who has routinely argued against magic links. The convenience they provide is hardly worth all the considerations that have to be made.

I've only ever seen magic links recommended by sales people. Presumably because it makes their demos go smoother when people want to know how difficult it is to access the product.


Sounds like they're under active attack due to some poor initial practices & having a hard time getting in front of it.

I suggest changing your email with booking.com to something the attackers wouldn't know.

Using the Gmail option of extending your normal username with '+' something – eg use ACCOUNT+unguessable-string@gmail.com in place of ACCOUNT@gmail.com – might be enough. With luck (if the site hasn't been too dumb), then when they hit the site with your old/plain address, no email will be generated.


Thanks. Just tried it, didn't work unfortunately.

They just remove everything after the + sign then send you an email to your old address saying they updated your info. Then you can login again with the old address but now twofactor is apparently turned on. Very weird.


I'm also receiving these emails, but didn't realize anything was different because my email is ready for people to accidently sign up with.

Please, if you are implementing an email confirmation process, include a way to say "this is not me". Someone has been periodically trying to activate their account in some website, and the no way for me to make it stop.


Who are these “thousands” of other people you are referring to? Is this a Reddit/Twitter/Lemmy thread?


I've been getting those for a longer while now, but didn't realize how bad this scenario was until now.


Reddit just this in the past year:

https://www.reddit.com/r/techsupport/comments/18zewqa/keep_g...

https://www.reddit.com/r/Scams/comments/15oq4pn/bookingcom_v...

https://www.reddit.com/r/Scams/comments/1bblo8a/verification...

There's also posts on twitter and here on hackernews.

But at its core numbers don't matter, the fact that they ignore twofactor and let everyone login by clicking on the request e-mail is a complete failure of security.

Non tech savvy people will absolutely get compromised by this at some point given enough requests, and they don't post to Reddit about it.


I see the top comment in your top link makes the same recommendation I made in another comment here (https://news.ycombinator.com/item?id=40720789).

If it works, you should definitely solve the problem for yourself even before booking.com eventually suffers enough to address the problem more generally.


Having the same problem. It's really annoying, and they don't seem interested in solving it.


You can go to youtube and login with any random email address and get the full name of the person and profile photo, assuming they've ever logged into Google. All you need is their email address.


Is this still true after the recent signin page updates? I tried it and didn't seem to get those


Ah, looks like it is tied to "has this IP ever logged in with this email" kinda thing.


Booking.com delete account process is also just a single "feedback" form that goes into a blackhole.

There does not seem to be a way to actually delete your account.


Send an email with a request to remove/delete your account. They are a Dutch registered company and therefore have to comply AFAIK. Otherwise, informing the Dutch consumer watchdog might be an alternative.

Note: IANAL


I also think they have to comply because of this: https://gdpr-info.eu/art-17-gdpr/


I mean, GDPR also requires them to disclose the data breach publicly within 72h of detection, but it seems like they're not even remotely interested in that.


Delete your payment methods. That will remove the biggest incentive to do something that’s a risk to you with the account.

From there you can write over personal data and maybe even change to a lower importance email address.


> Delete account - We received your request. Check your inbox for xxx to finish deleting your account.

It's been 20 minutes and the email still has not arrived.


If you use another Auth mechanism (Google, Apple) to sign in, then 2FA is enforced as expected.

I still get the phishing "login confirmation" emails though.


When you’re too cheap and dumb to spend $0.02 per user for a robust auth system and decide to fuck everything up instead.


Building a decent auth system is not that complicated that you need to rely on a 3rd party company to do it, they just hired cheap devs to maximize those profits.


I closed my account just to end the madness. I haven't used booking in a while anyway.



StupidSecurity.Yeah

I wonder if Booking is mostly third-party contractors or if they have employees. If the latter, then this is likely known inside, but executives don't care. If the former, it's possible executives don't know or also don't care. In my career, I've seen both scenarios. Given Priceline's size (Bookings' parent), it could be both. Executives want frictionless processes for customers; security is rarely important. The competitor to Priceline/Booking I worked at about a decade ago emailed forgotten passwords to customers, despite getting training at work where the first rule was don't remember passwords, and we couldn't get leadership to get rid of that because it was "convenient."


Getting these emails as well


If your password is leaked, and you then authorize the verification email by clicking on the verify text, how else do you expect Booking.com to prevent access? The point of 2-factor is lost if you are careless with your second factor.

[People seem to be downvoting me but no one seems to be replying with what the reasonable behavior should be. Maybe my understanding of 2FA through email verification is lacking?]


2nd factor refers to an OTP code generated using an authenticator app, not the "magic sign-in" link that was sent to them (that was the 1st factor, an alternative to providing the password).

2FA is supposed to protect you even if you accidentally click on the magic sign-in link, but Booking.com is (apparently) not enforcing 2FA.


In my understanding the authenticator app is not the only way to have 2FA. It looks like here Booking was using the email for verification? This seems similar to a forgot password flow.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: