Modernizing Authentication — What It Takes to Transform Secure Access
Kayak.com customer Kevin Hunt recently found that the travel site was showing him not only his own reservation details, but also a wide range of information for other customers with the last name of Hunt, including their home addresses, phone numbers, e-mail addresses, and credit card expiration dates.
"He’d used an American Express credit card, which often end in numbers between 1001 and 1009," writes The Toronto Star's Dylan C. Robertson. "Typing those numbers alongside common names like Smith, he was able to find scores of strangers’ personal information. 'I can’t believe no one’s pointed this out before,' Hunt said. 'You’re telling me no one out of their thousands of customers has ever done this?'"
"In response to Hunt’s email reporting the problem, Kayak.com officials sent the following reply: 'While the presentation is odd/etc and clearly not what a consumer would expect of our site, no financial/authentication/etc information has been exposed,'" Infosecurity reports. "After Hunt posted the details of the problem on a travel chat forum, the company shut down the search engine."
After Hunt's posted about the issue on the FlyerTalk Forums, user CFFrost wrote, "I never use Kayak (I always book directly with airline / hotel) but I saw this thread and, like others have said, a quick 'guess' got me an abundance of information. Really, really bad."
Kayak CTO Paul English later wrote in response to the same post, "We have made a fix to our production servers. I will give more info soon."