Booking.com says typos giving strangers access to private trip info is not a bug

You may want to be extra careful if you're booking holiday travel for family and friends this year through Booking.com. A stunned user recently discovered that a typo in an email address could inadvertently share private trip info with strangers, who can then access sensitive information and potentially even take over bookings that Booking.com automatically adds to their accounts. This issue came to light after a Booking.com user, Alfie, got an email confirming that he had booked a trip he did not. At first, Alfie assumed it was a phishing attempt, so he avoided clicking any links in the email to prevent any malicious activity and instead went directly to his Booking.com account to verify that the trip info wasn't there. But rather than feeling the sweet relief that his account had not been compromised, he was shocked to find the trip had somehow been booked through his account. Alfie told Ars he was "quite sure" he had not been hacked but could not explain how the booking got there. He contacted a Booking.com support team member, who he said also seemed surprised, putting him on hold for 10 minutes and telling him that "they had not seen anything like it in the many years they had worked there." By the end of the call, Alfie was told that the issue was escalated to security teams who would follow up within 48 hours. But Booking.com never followed up, leaving Alfie in limbo. Over the next few days, the dates of the odd booking came and went without any response from the travel site. Frustrated, Alfie reached out to Ars to investigate his privacy and security concerns, and Booking.com similarly appeared evasive, responding quickly to Ars but then again going silent. It took weeks to finally get an answer, but Booking.com eventually explained exactly what happened and why there is no fix coming. "The security and privacy of our customers’ information are a top priority for Booking.com," Booking.com's spokesperson told Ars. "Following our investigation, we found that the issue occurred due to a customer input error during the reservation process, where he inadvertently entered an incorrect email address. That email address, however, belonged to another Booking.com customer"—Alfie—"which caused the reservation to be linked to their account." For Booking.com, it's essential that users can book travel for other users by adding their email addresses to a booking because that's how people frequently book trips together. And if it happens that the email address added to a booking is also linked to an existing Booking.com user, the trip is automatically added to that person's account. After that, there's no way for Booking.com to remove the trip from the stranger's account, even if there's a typo in the email or if auto-complete adds the wrong email domain and the user booking the trip doesn't notice. According to Booking.com, there is nothing to fix because this is not a "system glitch," and there was no "security breach." What Alfie encountered is simply the way the platform works, which, like any app where users input information, has the potential for human error. In the end, Booking.com declined to remove the trip from Alfie's account, saying that would have violated the privacy of the user booking the trip. The only resolution was for Alfie to remove the trip from his account and pretend it never happened. Alfie remains concerned, telling Ars, "I can't help thinking this can't be the only occurrence of this issue." But Jacob Hoffman-Andrews, a senior staff technologist for the digital rights group the Electronic Frontier Foundation, told Ars that after talking to other developers, his "gut reaction" is that Booking.com didn't have a ton of options to prevent typos during bookings. "There's only so much they can do to protect people from their own typos," Hoffman-Andrews said.

One step Booking.com could take to protect privacy

Perhaps the bigger concern exposed by Alfie's experience beyond typos is Booking.com's practice of automatically adding bookings to accounts linked to emails that users they don't know input. Once the trip is added to someone's account, that person can seemingly access sensitive information about the users booking the trip that Booking.com otherwise would not share. While engaging with the Booking.com support team member, Alfie told Ars that he "probed for as much information as possible" to find out who was behind the strange booking on his account. And seemingly because the booking was added to Alfie's account, the support team member had no problem sharing sensitive information that went beyond the full name and last four digits of the credit card used for the booking, which were listed in the trip information by default. "They revealed to me the full email address of the person who made the booking, as well as the country in which they were located," Alfie told Ars. "With this information, it was trivial to identify the individual via LinkedIn." Alfie raised concerns to Ars about Booking.com's resolution, suggesting that some sort of validation should be required before Booking.com adds trips to a user's account. He feared that people with bad intentions could take advantage of typos and potentially harm people booking trips by possibly messing with the booking or finding out where people who shared info in error live and targeting their homes while they're on vacation. "The potential for this to go very wrong is quite concerning," Alfie told Ars. "Allowing access to all the details of a booking to someone else via the simple act of accidentally entering an incorrect email address—without any form of validation—seems like a really bad idea. That I was intentionally supplied all the details needed to take ownership of (and/or attend?!?) this booking is scary." Hoffman-Andrews told Ars that while typos seem inevitable, Booking.com could potentially fix the issue by building capabilities for users to rescind bookings inadvertently inviting strangers to attend. "It seems like attaching that trip to somebody's Booking.com account and not letting the original user call it back and say, 'oops,' undo that part," could "in theory" be implemented, Hoffman-Andrews told Ars. Alfie told Ars that he has no plans to stop using Booking.com over the weird experience but agreed that users need to be able to cut strangers off when they're accidentally sent private trip info that Hoffman-Andrews said is "definitely pretty sensitive." "What if the person booking realized their mistake after the fact?" Alfie said. "It doesn't seem there is any way for them to undo this, and they certainly couldn't undo the automated email that already got sent out containing a good deal of information."