A security flaw in the Booking.com system has been identified by MoneySavingExpert.com, which allows imposters to change or cancel your hotel booking, or even leave a fake review.

The security concerns came to light after one Booking.com customer found a hotel review fraudulently written in her name had been posted on the site, allegedly by a manager at the hotel.

After being alerted to the issue by MoneySavingExpert.com, the hotel bookings giant has launched a full investigation and removed a number of other reviews from the site.

To be safe, you should NEVER show a hotel your booking confirmation when checking in, because it contains details that let you log into your booking. For more on how to protect yourself online, see our 30 Ways to Stop Scams guide.

How the loophole emerged

Tania Wittensleger and her partner used Booking.com in May to book three nights at a hotel in Fes, Morocco - a decision Tania says was partly influenced by the hotel's good reviews on the site.

In the end, she and her partner decided to check out early, and flew home. But a few days later she was surprised to receive an email from Booking.com thanking her for posting a review of the hotel.

She clicked through to the site and found a review written in her name, in broken English: "All in all a very good hotel. Lovely staff ... that is keen on fulfilling even special requests."

At first she didn't understand how someone could have faked the review, as Booking.com only lets verified guests log in and leave reviews.

Then she remembered that while checking her in at the hotel, a manager had photographed her Booking.com confirmation email - something that seemed normal at the time.

She now knows the PIN number and booking reference contained in that email were used to log in to her booking on the site and write a review after she'd checked out.

See the mock-up below which shows how your PIN and booking reference are clearly displayed on the right-hand side of each confirmation email.

Booking.com security warning after fake reviews – don't show your confirmation email
Your PIN and reference number can be used to change your booking or leave a review

A spokesperson for Booking.com said: "The manager at the accommodation did indeed break the rules by photographing Ms Wittensleger’s booking confirmation and subsequently using the information collected (including the reservation ID and PIN code) to fraudulently leave a review on her behalf."

We contacted the hotel in Morocco and received a response from the owner. He said he had been out of the country for several months, blamed the issues on those managing the hotel in his absence and said he had now cancelled the "management contract". He added: “I assure you it will never happen again.”

Could you be caught out too?

You might think it's normal to show a hotel your confirmation email when you check in, but if you booked with Booking.com, sharing that email with anyone could be a bad idea.

That's because each confirmation contains a unique PIN which, together with your booking number, can be used together to log into that booking on Booking.com, so long as the person whose account it is isn't already securely signed in.

Once you're logged in you can do the following:

  • Cancel your whole booking
  • Cancel individual rooms in a multi-room booking
  • Add more rooms
  • Leave a review (after the booking ends)
  • Send requests to the hotel

The emails themselves offer no warning about the need to keep their contents confidential. However the FAQs on Booking.com state: "Your PIN code is the 4-digit number on your booking confirmation, which in combination with your booking number, allows you to log in to 'MyBooking.com'. On ‘MyBooking.com’ you can view, change or cancel your booking. Please keep your PIN code confidential."

We asked the company whether you should ever show your confirmation email to a hotel. It told us: "Customers do not need to show their actual booking confirmation when they check in at a property, as the property should always have the name for their reservation on file."

'Truly another brother from a different mother'

After Tania contacted Booking.com, it removed the review posted in her name, and in an email to her, claimed it had identified "multiple fake reviews" of the hotel. It's now suspended the establishment from its website while it investigates further.

Although we don't know which other reviews it suspected were fraudulent, before the hotel was suspended we identified a number which offered unusually extravagant praise of the hotel's staff.

One raved that "breakfast was delicious" and had been served by one staff member who was "phlegmatic and sympathetic" and another who was an "easygoing and trustworthy polyglot".

Another enthused about a staff member who was "beyond helpful. He is witty, funny, wants to make sure you have a great time and has a very good heart (...) we truly found another brother from a different mother."

What does Booking.com say?

We asked Booking.com about the security loophole and if it had any plans to change what's included on its booking emails.

A Booking.com spokesperson told us: "The opinion of online reviewers ranks third after price and location as the biggest influencer in a booker’s decision – that’s why Booking.com always ensures its reviews are verified. Only a customer who has booked through Booking.com and stayed at the property in question can write a review, unlike other sites where anyone can create a fake review. 

"In the event that we detect or are made aware of a fraudulent review, our dedicated guest reviews fraud team will investigate fully and remove all reviews that are found to be fake. If we suspect one of our accommodation partners of submitting fraudulent reviews, we take the investigation and potential resulting consequences very seriously and will terminate our working relationship with the property if the behaviour does not cease.

"On this occasion we are conducting a full investigation with [the hotel], having already removed Tania Wittensleger’s review in addition to a number of other reviews, to prevent this unfortunate experience from happening to anyone else."

What does the travel trade body say?

ABTA told us: “Members of the public have become increasingly reliant on customer reviews when choosing their holiday arrangements and it is incredibly important that they should be able to trust these reviews.

"ABTA would expect that travel companies should have adequate procedures in place to prevent false posts and take immediate action when they have evidence that abuse is taking place. Inaccurate, false reviews don’t just mislead the public - they also drive business away from legitimate, honest businesses.”