Security researchers have uncovered an exposed database that belongs to the hotel management provider AavGo. The database was found through an Elasticsearch and the server did not require a login or password to view and potentially download the information, allowing anyone to do so. This database includes booking information, guest details, guest complaints, invoices, staff communication, hotel room images, and broken equipment information. The exposed database also includes hotel admin login details, admin username and password, reservation system and internal database. Personal information of over eight million guests are contained in the database, personal information included names, birth dates, email addresses, home addresses, marital status, children information and credit card issuer. Companies that use the AavGo software include Baymont Inn & Suites, The Row Hotel, Holiday Inn Express, Days Inn, Best Western Hotels and Resorts, Clients of Equinox solutions LTD and many others. The affected clients of the Equinox Solutions LTD company are The Ritz Carlton, Hyatt, Marriot, Oberoi, and the Hilton company. Researchers reached out to AavGo to disclose the security flaw and AavGo secured the database on July 16, 2019. In a statement from Mrunal Desi, the chief executive at AavGo, he stated that there was not a breach of the contained data, rather a vulnerability which they have fixed.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is