Security researcher David Sopas has identified a couple of document object model (DOM) based cross-site scripting (XSS) vulnerabilities on the website of world-renowned booking service Booking.com.“On January I started receiving some phishing emails using Booking.com as bait to spread malware. If these malicious users had the right tools - like for example a XSS vulnerability - they could infect more users. That would not be good,” the expert explained on his blog.
After analyzing the site, he was able to identify DOM-Based XSS vulnerabilities on the iPhone app page and the site’s Frequently Asked Questions section.
“Both vulnerabilities we're explored due to the lack of escaping the location.hash and using an older version of jQuery. That way it was possible for user to inject code into a victims browser DOM,” Sopas said.
Fortunately, Booking.com managed to address both issues within a couple of hours after being notified. The company says it's constantly working on improving the security of the website.
For those not familiar with David Sopas’ work, he has previously identified security holes on the sites of several security firms and on one of eBay’s websites.