Okay so this is crazy.<p>I like thousands of others have been receiving daily booking.com confirmation e-mails lately.<p>This is probably because of a leak they've hid instead of going public with, but that's not the worst part.<p>I looked up the issue and apparently thousands are getting these e-mails.<p>But hey, you still need to go through a link from your e-mail to set your new password right?<p>No!<p>Apparently their login mechanism lets everyone login as you as long as you click a huge <i>"I verify this is me"</i> button even if they are on the other side of earth, so one fumble with your phone and you grant some random person access to your account, and if these people send you 10 requests a day, yeah you get the point.<p>But i gets worse.<p>You can't even login with a password anymore, every time you press login you get the same login e-mail scammers are sending with no ability to discern who sent what.<p>But wait it gets much worse.<p>At first i almost deleted my account, but thought hey i'll just setup twofactor and assess the situation.<p>After enabling twofactor, and seeing a big green "Twofactor verified" badge i tried logging out again then clicked on "sign in" - i wrote my e-mail and to my horror the page displayed "We've sent you an email to let you login", i went to gmail - surely this e-mail would take me to a site that required twofactor authentication?<p>No twofactor! Not even a password or a querystring. Just the same e-mail scammers are sending 5 times a day and access to all of my information with absolutely no trace of any twofactor.<p>I urge everyone to either delete their booking.com accounts, e-mail them about this issue or contact some appropriate authority.
I tried to login to booking.com, but it claimed that I hadn't registered yet. So I registered again, with the same email. It didn't verify my email, and after login out and in again, with the new password, all my old bookings were still available. So yeah... I was effectively able to change the password without any form of verification.<p>This was 20 days ago.
Booking.com has one weird "feature" where they allow you to checkout without signing-in, and using the email of any other Booking.com user without verification in the checkout form. I had dozens and dozens of orders "placed on my behalf" this way; they were all no-shows and their CCs were declined, and they ended up disabling my account for fraud suspicion.
I don't understand this bit:<p>> Apparently their login mechanism lets everyone login as you as long as you click a huge "I verify this is me" button even if they are on the other side of earth, so one fumble with your phone and you grant some random person access to your account<p>Can I enter an email address on their site and click "I verify this is me" to steal an account? What does the "fumble with your phone" refer to?
Hah, I thought I was an isolated case getting dozens of login emails per day.<p>The only solution I found was to literally change my email on Booking.com, the emails have stopped now.
I've noticed more sites using the ability to access an e-mail account as an authentication mechanism.<p>I <i>think</i> they are using it different ways. Booking.com uses it as a primary authentication mechanism: enter your e-mail address, they send a link to that e-mail address, and clicking the link effectively authenticates you and you are logged in.<p>When I click on a link to a NextDoor post, sometimes it redirects me to a page with a button. Click the button, they send you an e-mail with a link, and clicking the link redirects me to the NextDoor post. What isn't clear in this case is if the e-mail link is a primary form of authentication, or secondary. For example, maybe my auth session expired, so they know I logged in at some point in the past, and the link in the e-mail is used to refresh my session.<p>I have to admit, I like the ease of using e-mail access as a form of authentication. I'm not sure how I feel about it being the primary form of authentication.
> "I verify this is me" button even if they are on the other side of earth, so one fumble with your phone and you grant some random person access to your account, and if these people send you 10 messages a day<p>This isn't <i>that</i> far outside the norm, and assuming I understand correctly that this verification button is in the email itself, I assume it is itself a verification link.<p>Still, taken together with everything (especially an undisclosed leak) it's enough that I've deleted my payment methods from Booking.com along with some additional personal info and probably won't be re-storing them short of the kind of retrospective reassurance that most management apparently finds beyond their capability. Without a payment method to abuse or even further data to harvest, it's hard to imagine an attacker having incentive to engage the account.
Sounds like they're under active attack due to some poor initial practices & having a hard time getting in front of it.<p>I suggest changing your email with booking.com to something the attackers wouldn't know.<p>Using the Gmail option of extending your normal username with '+' something – eg use ACCOUNT+unguessable-string@gmail.com in place of ACCOUNT@gmail.com – might be enough. With luck (if the site hasn't been too dumb), then when they hit the site with your old/plain address, no email will be generated.
I'm also receiving these emails, but didn't realize anything was different because my email is ready for people to accidently sign up with.<p>Please, if you are implementing an email confirmation process, include a way to say "this is not me". Someone has been periodically trying to activate their account in some website, and the no way for me to make it stop.
You can go to youtube and login with any random email address and get the full name of the person and profile photo, assuming they've ever logged into Google. All you need is their email address.
Booking.com delete account process is also just a single "feedback" form that goes into a blackhole.<p>There does not seem to be a way to actually delete your account.
> Delete account - We received your request. Check your inbox for xxx to finish deleting your account.<p>It's been 20 minutes and the email still has not arrived.
If you use another Auth mechanism (Google, Apple) to sign in, then 2FA is enforced as expected.<p>I still get the phishing "login confirmation" emails though.
StupidSecurity.Yeah<p>I wonder if Booking is mostly third-party contractors or if they have employees. If the latter, then this is likely known inside, but executives don't care. If the former, it's possible executives don't know or also don't care. In my career, I've seen both scenarios. Given Priceline's size (Bookings' parent), it could be both. Executives want frictionless processes for customers; security is rarely important. The competitor to Priceline/Booking I worked at about a decade ago emailed forgotten passwords to customers, despite getting training at work where the first rule was don't remember passwords, and we couldn't get leadership to get rid of that because it was "convenient."
If your password is leaked, and you then authorize the verification email by clicking on the verify text, how else do you expect Booking.com to prevent access? The point of 2-factor is lost if you are careless with your second factor.<p>[People seem to be downvoting me but no one seems to be replying with what the reasonable behavior should be. Maybe my understanding of 2FA through email verification is lacking?]