Messed Western: Vuln hunters say hotel giant's Autoclerk code exposed US soldiers' info, travel plans, passwords...

A security team for review site vpnMentor, led by Israeli researchers Noam Rotem and Ran Locar, recently found a publicly accessible AWS-hosted database owned by Autoclerk, a reservation system recently acquired by Best Western Hotels and Resorts Group.

The exposed database contained sensitive personal data for thousands of people around the globe, according to vpnMentor, including their hotel and travel reservations. Among those affected were US government and military personnel.

"Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future," vpnMentor's pseudonymous author "Guy Fawkes" said in a blog post on Monday. "This represented a massive breach of security for the government agencies and departments impacted."

The researchers claim to have viewed logs for US army generals traveling to Moscow, Tel Aviv, and other destinations, among other sensitive details. And they also say they encountered unencrypted login details for connected services during their probes of the system.

Exposed reservations revealed customers' full names, dates of birth, home addresses, phone numbers, dates and costs of travel, and masked credit card details. On some reservations, this included hotel guest check-in times and room numbers.

A spokesperson for the US Department of Defense told The Register that the DoD is looking into the company's claims but had no information to provide at the time this story was filed.

The researchers say they discovered the database on September 13 and notified CERT the same day. After receiving no response, they contacted the US Embassy in Tel Aviv on September 19 about the lack of CERT response, managed to reach someone at the Pentagon on September 26, and finally on October 2 they saw the database closed.

Autoclerk provides reservation services for multiple travel-oriented companies, including hotels and travel agencies, and travel platforms such as HAPI Cloud, OpenTravel, and Synxis. One of the affected platforms belongs to a contractor who handles travel arrangements for US military personnel, claims Fawkes.

The researchers say the database they explored contained more than 179GB of data and speculate that much of it came from external travel and hospitality platforms – the exposed Autoclerk database connected these external systems and allowed them to interact with one another.

"Whoever owns the database in question uses an Elasticsearch database, which is ordinarily not designed for URL use," said Fawkes. "However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time."

vpnMentor did not immediately respond to a request to clarify whether the Autoclerk database is an Elasticsearch database or whether it interfaces with a separate Elasticsearch database. We'd also like to know why Fawkes claimed only "1000s" of people had personal details exposed when the database is said to have contained "100,000s" of booking reservations amounting to 179GB of data.

In any event, it's not uncommon for security pros to manage to probe improperly secured databases by crafting data queries using URL parameters.

Fawkes said the researchers identified the database with port scans conducted for a web mapping project.

Neither Autoclerk nor Best Western responded to requests for comment. ®