Why are we writing about Airbnb?
As InfoSec professionals, we are always on the move, travelling to training, conventions, and speaking engagements. Sometimes professional events require an overnight stay and for this, Airbnb is a cheap and tempting option. Focusing on the cozy amenities in a home-away-from-home can sometimes cause us to overlook the privacy concerns that can arise. This blog wondersmith_rae and I have been working on, is an examination of the public information available on Airbnb, what OSINT can be done with this information, and the overall privacy concerns when using the site.
First, let’s get to know the company. Airbnb is a peer-to-peer lodging company based in the U.S. that allows registered hosts to provide hospitality services from their property. Guests are able to book a stay in a host property, as well as view and book local experiences and restaurant reservations via the Airbnb platform. Hosts may list either their own home or a rented home but the rules are very strict and require many certifications and agreements.
All hosts are encouraged to create a profile that includes a profile photo, a small blurb about them, and a list of all identity verifying information they provided (passport, driver’s license, financial information). Their personal profile is in addition to the property listing which contains even more specific property details and photos. When wondersmith_rae and I began wading through Airbnb profiles we soon realised that both Guests and Hosts were revealing an exorbitant amount of personal information! Below you can see some of the information that is publicly available when a person lists a property or creates a profile on Airbnb.
So what can we find out about a host?
To see the scope of information we can find just by viewing a host profile, let’s take a look at Nanci. Straightaway we can see a whole lot of useful information. After reading this single host profile we now know her age, how many kids she has, her marital status, her neighbourhood, and her career.
Knowing the first name of the host, career, and location of the house wondersmith_rae was able to do a quick Boolean search in Google (name + location + career) which immediately brought up her freelancer page. This page provided us with her last name and from there we did an Intelius search that provided us with her relatives.
Once we had her husband’s name wondersmith_rae could do a Google search of his name which quickly provided the address of a house they owned that happened to also match the house they had listed on Airbnb. All of this information was found in less than 5 steps.
What can we find with the map search?
Another way to explore the website’s features to gain personal information is by searching for a specific location on the map.
I started by searching for homes for rent in Manhattan between the 9th and 12th September 2019 for one guest. This search provides a map of Manhattan with available listings for my chosen date range. This data may seem innocuous but now we know what homes are listed on Airbnb and who the hosts are at these locations. At this point, we could investigate the host profiles for any usable information to add to our OSINT report.
If we choose one listing from the map above, for example, we get the below profile that lists a private room near Times Square.
This person’s profile not only tells us when he started hosting (2016), but also important information such as what they do for a living and in their spare time. Interestingly, we can also see his Gmail account and Airbnb account are connected. Should someone access this Gmail account without 2 Factor Authentication being enabled, they could gain access to his Airbnb account as well as everything that comes with it, like financial information.
Reviews are a gold mine
Each listing allows the guests to review the property and hospitality received after their stay. The reviews are a great source of information and in this case, when we picked one guest who had reviewed their stay, we can see when they stayed in New York, of course where they stayed, and why.
When looking at this particular profile we can see where he works, where he lives, and a guidebook that can tell us roughly what places he frequents. Guidebooks are created by hosts to provide information to guests about local experiences like restaurants, bars, hiking trails, etc. Often, these are spots a host will frequently visit, thus, revealing their potential location.
Looking deeper at this individual profile we can also see where they live, work, and get access to a guidebook that can tell us roughly what places he visits regularly.
When we search this user’s official employer website we can easily find the original reviewer under ‘Meet the Team’ allowing us to verify both name and job title. If we take his name + employer into a Google search we now have his entire social media and online persona.
Custom search, Site map and Google dorks
Airbnb provides a handy custom search tool that allows you to narrow down the results page. For example, lets say we are looking for someone in particular we think might have stayed or frequented the area of Washington Square Park. We can search this area directly by typing “Washington Square Park” in the search tab and we get a map with a list of 42 places that we can look into or go to Site Map and search it manually.
You can also search for listings near Landmarks. Since we are looking at New York and there are quite a few landmarks, I searched for “Washington” using ctrl+F and chose the option below. This search comes in handy if you are attempting to locate a specific person/listing but are limited with only vague data about the location.
Using Google, we can also create string searches, or Google Dorks, in order to find a known host or reviewer around a location. This type of search provides us with information in seconds that we would otherwise have to spend time looking up on the Airbnb site.
For example, let’s say we have “Tim” as our target’s name and have received a potential sighting location of Manhattan. The string search function: site:https://airbnb.com “Tim” User profile “Manhattan” will give us any host named Tim who is listed near Manhattan or anyone named Tim who has left a recent review.
String searches can be used to bring up a variety of user information such as specific user profiles, host profiles , reviewers, and even targeted advertisements displayed in multiple languages.
Profile image thumbnails
One last piece of data people might overlook is a host/guest’s profile picture. This information only becomes publicly visible as a small thumbnail during house searching or when leaving a review. With this photo, we can do a direct reverse image search and see if it gives us identification.
Of all the search engines, Yandex seems to have found the most information on our target. These results provide more information to take us further into the investigation.
Anyone with an account on Airbnb should be sure to read and understand the entire privacy agreement. Be cautiously aware of how your personal information will be stored and sold to third parties. Avoid using a photo of yourself on the site, especially in an easily identifiable location. If you feel that you need to use a photo, make sure it’s a photo that isn’t used elsewhere online. Don’t list your children’s names, ages, school, activities, or photos and avoid giving away too much about places you like to visit frequently. Try to avoid listing where you work and where you went to school.
If you are a Guest, be sure to check the listing for cameras on the premises and their locations. Make sure to always contact hosts through the Airbnb platform and never give away personal information in your communications with the host. When you arrive at the home, do a sweep for anything that looks out of place that could be a hidden camera. Look for strange plugs in the wall that don’t lead to anything and remove odd items that look suspicious. As an extra caution, you can turn off the lights and use the flashlight on your phone to look for the reflection of lenses.
This level of security may seem fanatical to some but as we have illustrated, it is incredibly easy to find useful information with very few details. If you leave the key to your house in the door, you can’t expect a thief not to use it.