According to Randy Westergren, who is the software developer in question, he discovered the vulnerability after he logged into the app using only his Membership ID number. After doing so, he realized the app made a request to fetch reservations, even though he had none. He discovered that the app was fetching reservations through unauthenticated requests, which means he could type in a different Membership ID and send it to the server. By doing so, Westergren could find out a customer’s reservation, the hotel where they will be staying at, and the check-in time.
Once he had this information, Westergren could easily log into Marriott’s website with it, since the site only requires a last name and reservation number to log in. Doing so granted Westergren the ability to cancel planned trips and obtain addresses, credit card numbers, and customer information. Granted, only the last four digits of their credit cards would be revealed, but that would be more than plenty for hackers to work with.
Thankfully, according to Westergren, Marriott fixed the issue a day after his report saw the light of day. We’ve yet to read or receive any reports of compromised accounts, so if you frequently use the Marriott app, your information should be safe. Even so, thinking about how the app first launched back in 2011 with this vulnerability doesn’t exactly make anyone very happy, to say the least.
Editors' Recommendations
- How to get Android apps on a Chromebook
- The best iPhone and Android apps for Black History Month 2024
- Google is launching a powerful new AI app for your Android phone
- How to force close apps on your Android device
- The 7 best voice-changing apps for Android and iOS in 2024
