Grammar Matters - App Crashing for PII

What information is valuable to you? Probably your home address, date of birth, kids’ birthdays. Obviously, things like your social security number of account numbers are desired to be kept in close quarters. Likely, you do things to protect this information, whether by not sharing it publicly or storing it in safe locations. You may keep passwords to this information in software like NordPass or 1Password.   

So here’s the scenario, you book a vacation with your family six months in advance. You go directly to the hotel’s website instead of using a broker, or maybe called the hotel and made your reservations over the phone. You’ve gotten your confirmation email and otherwise notice no abnormalities. Arrive at the hotel, check in, be handed your room key, and enter your room. Success, right? Well, maybe.

Ariane Systems is a French developer of self-check-in and out programs for the hospitality industry. Their products can be seen in hotels around the world with kiosks that allow guests to verify their reservations and receive their room keys. The item is, for all intents and purposes, an I-Pad running Microsoft operating system. Loaded on to the screen when you arrive is an application which services reservations, including checking-in and out.  The self-service kiosk will coordinate and distribute an RFID badge for the guest to use at the room the application indicates.

In March 2024, Martin Schobert of Pentagrid discovered that by a customer with a name containing an apostrophe searching for their reservation, the software would hang-up and prompt to Microsoft OS to kick into the program non-responsive interface. If the user would then force close the program, they’d be prompted back to the OS’s main interface. From there, a user had unfettered and unanticipated access to the operating system to then mosey around or aim for privilege escalation. Meaning, said user could then find where reservation data was stored, including names, credit card numbers, and room key RFID.

You’ve probably never emailed anyone whose email address has an apostrophe in it -- right? For whatever reason, apostrophes and quotation marks have given operating systems errors for years. My understanding is the lack of uniform direction of programing has made handling of signs difficult, resulting in the syntax of one program recognizing the apostrophe different from that of another. Additionally, they’ve proven difficult to navigate for credentialling interfaces and have resulted in login exploitation. There are numerous Hack The Box instances whereby SQL injections are determined based on an interfaces response to a single quote character being used as a login ID, and the interfaces response to the same. If the SQL injection was successful, the breacher would then gain access to the hopefully not in plain text usernames and passwords. This could lead to logins whereby the breacher would gain access to stored information like credit card numbers.

I don’t have much by way of remedies to this issue. You’re at the mercy of a hotel’s contractor for managing guests, and the flaws in the program that come with it. However, there are a host of methods to testing the potential exploits of a login page. A single common or apostrophe is a great place to start. Otherwise, searching for SQL injections will lead you to other methods.