? ======================================================================= Booking.com - Open Redirect ======================================================================= [#] Severity : High [#] Works on : Any browser with any version [#] Homepage : www.booking.com [#] Vulnerable URL : http://www.booking.com/go.html [#] Author : Sergio Giucastro [#] Email : info@studio-sg.net There is an Open Redirect vulnerability in the Booking.com website. The backend accepts one or more parameters, and redirects the user to the parameter without doing the validation properly. A phishing attack is possible, getting the user download unofficial, untrusted software for his Apple device. Impact of Vulnerability: 1. The user may be redirected to an untrusted application, without realising that the application has nothing to do with Booking.com 2. The user may be subjected to phishing attacks. Proof Of Concept: http://www.booking.com/go.html?url=http%3A%2F%2Fitunes.apple.com%2Fen/app/tripadvisor-hotels-flights/id284876795?mt=8;sn=itunes;date=2013-11-26;pid=17ba48fd701b009d;aid=304142 Solution: The validation of the url parameter is not done properly; the portion of the string describing the application name should be checked too. Report-Timeline: ================ 2014-11-17: Vendor Notification (Booking.com Security Team) 2014-11-18: Vendor Fix/Patch (Facebook Developer Team) 2014-11-20: Public Disclosure