Booking.com says typos exposing trip details aren’t a bug

A Booking.com user discovered a significant privacy issue stemming from email typos when booking vacation travel

A stunned user recently discovered that a typo in an email address could inadvertently share private travel information with strangers, who could then access sensitive information and potentially even take over bookings that Booking.com automatically adds to their accounts.

Key takeaways

• The issue arose when a booking was mistakenly linked to a user's account due to an error in the email address entered by another user. Despite initial concerns of hacking, it was determined that the incident was due to Booking.com's design, which automatically links bookings to accounts with matching email addresses;
• The user contacted Booking.com for assistance, but the company failed to provide a timely response or resolution. Eventually, Booking.com explained that this was not a system error or security breach, but a feature that allows users to book travel for others using their email addresses. If an email matches an existing account, the booking is added to that account with no way to remove it later, even in the case of typos;
• While Booking.com maintains that this is an expected feature and does not warrant a fix, the issue raises concerns about privacy and the potential for human error. Ultimately, the user had to manually delete the trip from his account with no resolution from Booking.com, leaving him and others concerned about future risks.

Get the full story at Ars Technica