It was recently learned how Airbnb accounts are vulnerable to hijacking. Attackers can easily breach accounts, creating a new account in service renting a house and giving a phone number that previously belonged to another Airbnb customer.
The risk arising from reusable telephone numbers from other users, has been known for years. Many great Companies have encountered problems related to this mode of attack. Airbnb appears to be one of these companies, but the company says only a small number have been affected. users.
The incident came to light when a woman named Maya told SecurityWeek that her husband was trying to create an Airbnb account and accidentally logged in to another user's account.
Once he entered his phone number (step in registering an account), the man received one four-digit code via SMS. When the user entered the password, connected to account another user, who was the previous owner of the phone number.
The bill belonged to a North Carolina woman and contained many personalities information, such as photo, address emails, telephone number etc. O account she also had a valid payment card, which means that this woman could still make a booking on Airbnb using this card.
Maya confirmed the issue by testing her friends' phone numbers (with their consent). However, the worrying thing is that Airbnb did not inform the new owner of the phone number that the number he used to sign up for an account has already been used. Also, did not notify the legal account holder of a potentially suspicious connection.
Maya was unaware of Airbnb's bug bounty program and tried to report her findings on accounts and phone numbers through the channel support the company's. He says he has tried hard to convince Airbnb of the seriousness of the issue, but the problem has not been resolved. Her last inspection took place on September 22.
Airbnb support staff told Maya to create an account using a different phone number and stressed that their accounts users are safe and only legal holders can have access. However, this does not apply as phone numbers that have been "changed hands" can be used to gain access to previous holders' accounts.
"Airbnb support kept telling us the same thing: use a different phone number. He did not realize the issue security that we set (although we were clear with her). After all, we accidentally logged in to another user account and it seems to me that they do not find it as worrying as we", Maya explained.
Airbnb has to take care of secure connection and yes informs them users for suspicious connections to their accounts.
The company claimed to have taken steps to resolve the issue, but did not provide details about its actions.
"We have developed a solution to the reported problem of reusable telephone numbers, and fortunately only a very small number of our users have been affected. We are constantly evaluating and improving our protections and are committed to strengthening controls security of our platformAn Airbnb spokesman told SecurityWeek.
Airbnb support staff should be able to handle such issues. Many times, security issues are not addressed in official bug bounty programs but reported by simple users. These reports should be taken seriously by companies.