P2021-ND-250

Airbnb Ireland UC

On April 2, 2021, the Organization discovered a technical vulnerability involving user accounts that had been subject to an ?account takeover? (ATO). The Organization reported that the vulnerability did not cause the ATOs; however, it permitted a malicious actor engaged in an ATO to remain logged in to user accounts after the Organization had taken steps to terminate access and force a password reset. The Organization reported it previously informed its users that their accounts had been accessed and took a series of measures to remove the malicious access to user accounts. However, the issue in the Organization?s systems was likely introduced on July 17, 2018 in a software upgrade, so the malicious actor may have continued to have access to user accounts and the information in them. On April 3, 2021, the Organization implemented additional measures to remove the malicious actor?s access to user accounts, and restored the accounts. In the course of an ATO, a malicious actor would have had access to all information that is typically visible to the account user. In some cases, the malicious actor may have made changes to the payment information in user accounts. The Organization managed to successfully terminate all known ATO account sessions believed to have been affected by the vulnerability.

File Type: pdf
Categories: 2021
Tags: Unauthorized access