Marriott quickly strengthened controls after discovery of a security design weaknesses in an Android based application.


The issue, patched last week, made it simple for attackers to access the reservation and personal details of Marriott customers via its web services, exposing check-in dates, victims’ last names, and victims’ contact information including physical address, email address and partial payment card data.

It turned out that Marriott’s Android app didn’t need to use any authentication to query Marriott’s web services for reservation information. All it required was a Membership ID. Which meant that if Westergren, or someone malicious, wanted to access the details of many Marriott Rewards members all he would have to do is change the Membership ID data being used to query the web server.