Restaurant booking platforms overrun with bots trying to steal data, researchers warn


A new analysis of restaurant booking websites shows that 100% of online reservation platforms lack robust security measures, leaving them and your data at risk to savvy attackers.

That’s according to a new security assessment of table booking sites by threat researchers at DataDome, a security firm specializing in cyberfraud and bot protection.

The researchers warn that when demand for reservations is high, “these booking platforms are highly attractive targets for malicious bot attacks, lending to instances of scalping, credential stuffing, and fraudulent account creation.”

ADVERTISEMENT

A DataDome security alert was released on Tuesday to coincide with the kick-off of New York City Restaurant Week, running through February 9th.

But it’s not just New York; these weeks-long dining events are also held in most major cities around the world from now through March. What's more, these attackers are prepared, unleashing waves of automated bots designed to take advantage of unsuspecting diners and restaurateurs alike.

“These threats can disrupt operations, impact genuine customers, and lead to financial losses for both diners and restaurants,” DataDome said.

Bot attacks: I’ll take a fake reservation for two

Top booking sites, such as Resy, Open Table, Yelp Guest Manager, Toast, and Tock, are used by millions each day to book tables at their favorite dining spot.

Although none were mentioned by name, the DataDome real-time analysis of “various table booking websites” found that 100% of all websites and booking apps were vulnerable to bot attacks. This was mainly due to bots’ abilities to create fake accounts without triggering any system alerts and the platforms’ lack of strong authentication controls.

ADVERTISEMENT

Besides the fact that every single booking site DataDome tested allowed bots to create fake accounts, the bots were also able to freely make reservations without any red flags.

From single to multiple table bookings, DataDome's “proof of concept confirmed” that bots could “book single tables for two” and/or “book multiple tables on the same day or within a short period,” demonstrating the potential scalability of attacks.

Furthermore, only 40% of websites used bot detection solutions, and the research showed that none of the platforms prevented fake account creation or credential stuffing.

Resy sample page
Resy.com

In credential stuffing, attackers take already stolen usernames and passwords and, using automated bots, try to “stuff” the stolen credentials into the target system, hoping to match the login information to a legitimate account.

Once in the system, attackers often create massive amounts of fake accounts, with the intent of using them for future attacks if the platforms implement stricter defenses, researchers said.

Please, no more weak sauce

When it comes to authentication measures, DataDome said that 100% of booking sites had weaknesses, leaving them vulnerable to exploitation.

The research showed only:

  • 20% of sites deployed a CAPTCHA.
  • 40% of sites sent validation emails or one-time passwords (OTPs) for registration or login.
  • 20% of the sites had Multi-Factor Authentication (MFA).
ADVERTISEMENT

Because of these deficiencies attackers can use “simple tactics like temporary email services, alias tricks, and Gmail dot techniques (creating multiple email addresses from an original address by simply moving the dot placement) to easily bypass registration checks.

Due to the lack of robust authentication measures, credential stuffing becomes much easier, allowing cybercrooks to steal personal data, including loyalty and rewards account information, or hijack existing reservations by canceling and rebooking them, DataDome said.

Additionally, many booking sites now require a credit card hold to make reservations, which could allow attackers to access credit cards and other financial information.

DataDome said attackers have also been seen scalping reservations for in-demand restaurants. The bots book high-demand tables en masse and either resell the reservations to the highest bidder or hold them hostage, demanding payment from the legitimate diner to release them.

In fact, hijacked reservations have become such an issue in New York that the city has enacted the Restaurant Reservation Anti-Piracy Act to reign in malicious bots stealing reservations from trusted booking platforms and reselling them on the black market.

How to protect the system

DataDome said the tests were conducted using an open-source bot framework without custom configuration, indicating that attackers using more advanced techniques could inflict even greater damage.”

The cybersecurity firm says the most effective way to protect yourself or your restaurant from bot attacks is to employ advanced bot protections, such as real-time detection and mitigation of automated threats.

ADVERTISEMENT

Platforms should also strengthen their registration/account creation processes, including adding email and OTP verification and implementing MFA.

vilius Gintaras Radauskas Konstancija Gasaityte profile Paulius Grinkevicius
Don’t miss our latest stories on Google News

Next, both platforms and restaurants should enhance their booking defenses to detect and block abnormal booking patterns. This includes monitoring for unusual activities, such as rapid or repeated table bookings and bulk bookings across multiple days.

Finally, the booking platforms should educate and encourage their users to enable security features (if available) and monitor their accounts for suspicious activities, the research said.

Restaurant week events are often held twice a year as a way to entice unadventurous diners and experienced foodies alike to try new restaurants using special pricing and pre-fix menus, with hundreds of restaurants taking part in their locales.