According to Randy Westergren, who is the software developer in question, he discovered the vulnerability after he logged into the app using only his Membership ID number. After doing so, he realized the app made a request to fetch reservations, even though he had none. He discovered that the app was fetching reservations through unauthenticated requests, which means he could type in a different Membership ID and send it to the server. By doing so, Westergren could find out a customer’s reservation, the hotel where they will be staying at, and the check-in time.
Once he had this information, Westergren could easily log into Marriott’s website with it, since the site only requires a last name and reservation number to log in. Doing so granted Westergren the ability to cancel planned trips and obtain addresses, credit card numbers, and customer information. Granted, only the last four digits of their credit cards would be revealed, but that would be more than plenty for hackers to work with.
Thankfully, according to Westergren, Marriott fixed the issue a day after his report saw the light of day. We’ve yet to read or receive any reports of compromised accounts, so if you frequently use the Marriott app, your information should be safe. Even so, thinking about how the app first launched back in 2011 with this vulnerability doesn’t exactly make anyone very happy, to say the least.
