The Linkielist

Linking ideas with the world

The Linkielist

Daily Archives: November 9, 2020

Hotels.com, Booking.com Expedia provider exposed data from 2013 for millions of guests on open AWS bucket

Posted on by

Website Planet reports that Prestige Software, the company behind hotel reservation platforms for Hotels.com, Booking.com and Expedia, left data exposed for “millions” of guests on an Amazon Web Services S3 bucket. The 10 million-plus log files dated as far back as 2013 and included names, credit card details, ID numbers and reservation details.

It’s not certain how long the data was left open, or if anyone took the data. Website Planet said the hole was closed a day after telling AWS about the exposure. Prestige confirmed that it owned the data.

The damage could be severe if crooks found the data. WP warned that it could lead to all too common risks with hotel data exposures like credit card fraud, identity theft and phishing scams. Perpetrators could even hijack a reservation to steal someone else’s vacation.

Source: Hotels.com, Expedia provider exposed data for millions of guests | Engadget

UK Company House Demands Company Stop Using Name Which Includes an HTML Closing Tag

Posted on by

A British software engineer came up with “a fun playful name” for his consulting business. He’d named it:

“”>

Unfortunately, this did not amuse the official registrar of companies in the United Kingdom (known as Companies House). The Guardian reports that the U.K. agency “has forced the company to change its name after it belatedly realised it could pose a security risk.” Henceforward, the software engineer’s consulting business will instead be legally known as “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD.” He now says he didn’t realise that Companies House was actually vulnerable to the extremely simple technique he used, known as “cross-site scripting”, which allows an attacker to run code from one website on another.
Engadget adds: Companies House, meanwhile, said it had “put measures in place” to prevent a repeat. You won’t be trying this yourself, at least not in the U.K.

It’s more than a little amusing to see a for-the-laughs code name stir up trouble, but this also illustrates just how fragile web security can be.

Source: UK Agency Demands Company Stop Using Name Which Includes an HTML Closing Tag – Slashdot