Airbnb Bug Let You Read Other People’s Account Messages

Airbnb says it has fixed a baffling bug in its website that briefly caused some of its users to be shown messages belonging to others when viewing their account inboxes.

The rent-out-your-home app maker said the problem occurred on Thursday between 0930 and 1230 PT, and affected punters who were logged into its desktop or mobile site as opposed to its smartphone app. During that time, users said that when trying to view their inboxes, they were instead randomly shown the contents of other users’ inboxes. These included private messages and booking confirmations with things like stay details and addresses.

While it seemed to be Airbnb hosts publicly reporting encountering the blunder, the biz would not confirm exactly who had been hit, only saying it was “a small subset of users” who had their inboxes shown to strangers. We’re leaning toward believing this was a classic web caching gaffe, in which people were shown inbox pages and messages incorrectly cached by Airbnb’s web servers.

“On Thursday, a technical issue resulted in a small subset of users inadvertently viewing limited amounts of information from other users’ accounts,” an Airbnb spinner told The Register.

“We fixed the issue quickly and are implementing additional controls to ensure it does not happen again. We don’t believe any personal information was misused and at no point was payment information accessible.”

people peer into camera. photo by shutterstock

Airbnb host thrown in the clink after guest finds hidden camera inside Wi-Fi router


So far, this appears to be a technical goof rather than foul play. Airbnb does not believe the issue was the result of any sort of network intrusion or app exploit. The biz is, however, reviewing whether it will be needing to file any privacy breach notifications under data protection laws.

Still, this will all be of little comfort to folks who had their private messages and booking details exposed to complete strangers. A quick glance at the Airbnb message board on Reddit from Thursday morning shows just how stressful the brief leak was for many users.

“I am seeing other people’s (hosts’) messages,” wrote Reddit user Autocasa. “This is clearly a concerning security link.”

“I’m logging in as a host and it’s welcoming me with a different name and inboxes. My co-host is setting a completely different inbox,” wrote Reddit user Callagem, who noted that Airbnb support was less than helpful. “We’re on the phone with Airbnb who at first was just like, clear your cookies.”

In some cases, the hosts were turning to one another to try and figure out what was going on. “Just had another host call me and advise they have access to my account (wondering if I had access to theirs),” reported Reddit user cagreen151. “Every time I refresh, it’s a new account/inbox.”

Similarly, users were flustered on Twitter:

Airbnb told us the issue should not happen again. If you have any information that might suggest otherwise, please get in touch. ®