[Oops] Marriott’s Android App Has Probably Been Leaking Credit Card Data For Years

Remember how Marriott hotels wanted to block WiFi hotspots and make everyone pay for internet access? It turns out giving Marriott money for lodging is maybe not a good idea in the first place. According to software developer Randy Westergren, it has been possible to access customer information on Marriott’s servers without a password since the Android app was released in 2011.

The problem is that Marriott’s Android app didn’t use any sort of token or authorization data to access your reservations. Westergren created a proof-of-concept script that simply crawled reservation numbers starting at an arbitrary point until it found a valid number. All he needed was a name and the reservation number to access the customer accounts on Marriott’s website, and he could get that because of the app. This presented all the user’s information including address, phone number, reservation details, and the last four digits of the credit card number. Granted, you can’t go on a spending spree with the last four, but this is useful data for identity theft.

Westergren found he could modify and cancel reservations that were not his own quite easily with this method. With the cancellation fees Marriott charges, he might as well have gotten the whole credit card number. In fairness, Marriott took the vulnerability seriously when it was disclosed by Westergren. A server-side fix was rolled out on January 21st.

[Forbes, Randy Westergren]