Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

Booking.com says typo bug can give strangers access to your whole trip

Fingers typing on a computer keyboard.

  • Booking.com apparently links reservations to accounts without any verification
  • User finds typing the wrong email address could link your vacation to another account
  • The company did not remove a false booking from one user’s account

Travellers using Booking.com to pay for accommodation and transport have been warned about a simple typo bug that could see them share their private trip details with strangers, giving them access to sensitive information and even allowing them to take control over bookings.

The issue came to light when a Booking.com user, named as Alfie, received an unexpected email confirming a trip that he hadn’t booked.

Although he exercised caution by not following links on the email, suspecting it was a phishing scam, the mysterious booking had been added to his account, confirming suspicions that the email was indeed from Booking.com.

Watch out for this Booking.com bug

After failing to receive an explanation from the company’s support team, Alfie shared the story with Ars Technica which pressed Booking.com for answers.

It was later revealed the problem occurred when another user had entered Alfie’s email address, presumably by accident, causing the reservation to link to his account. Booking.com has therefore stated the incident is neither a “system glitch” nor a “security breach,” however we now have questions about the robustness of Booking.com’s system.

Booking.com said (via Ars Technica): “Following our investigation, we found that the issue occurred due to a customer input error during the reservation process, where he inadvertently entered an incorrect email address. That email address, however, belonged to another Booking.com customer which caused the reservation to be linked to their account.”

Alfie’s experience highlights a worrying loophole where Booking.com’s system automatically adds bookings to accounts via the email address provided, without any further verification, making it easy to inadvertently share private information with others and lose your own booking.

Although the chances of typing a completely different email address are pretty slim, a single misplaced letter could direct the booking to another closely related email address.

Moreover, Booking.com declined to remove the trip from Alfie’s account, stating that it would be a violation of the privacy of the user who actually booked the trip.

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.