Hotel chain Marriott might find itself in more trouble than its 2014 FCC fine. A senior developer at the XDA Developers Forum has revealed that the chain’s mobile app might have allowed unauthorized people to gain access to private information, including names, addresses, contact numbers and credit card information. Though the app has said to have been plugged up now, the security flaw has been in existence for almost four years, exponentially increasing the possible ramifications and victims of this exploit.
To be fair, it’s not entirely the Marriott Android app’s fault. It’s actually the combination of both mobile app and web app that yields such fruit. But the app can be used as the gateway to the garden, so to speak. The app accepts any membership ID without authentication or verification when checking for rewards or reservations. The Marriott website, on the other hand, lets people login simply using a name and the associated reservation number retrieved from the mobile app. When these two are used together, anyone can get the customer’s private details, including those that can be used to commit identity theft.
You don’t even need to know a specific membership ID to get started. Randy Westergren, the XDA senior member who discovered the software vulnerability, wrote a proof of concept program that just cycled through possible ID combinations until it hits one that has a reservation number on the app. Once that has been acquired, it would be easy for hackers to get whatever they need, even if limited to the last four digits of a credit card number.
To Marriott’s credit, it fixed the app the day after Westergren reported the problem to the hotel owner. The problem is that the app has been vulnerable since the day it was launched, which was way back in 2011. That practically gives hackers four years’ worth of personal information to pilfer.
This latest incident serves to further tarnish Marriott’s reputation in the IT industry, first for its deception and now for its shoddy security practices. Last October, the hotel giant was fined $600,000 by the FCC after being found guilty of intentionally jamming its own guests’ WiFi hotspots in order to force them to use the facility’s own WiFi service, which can amount from $250 to $1,000 per device.