Travellers anticipate friction, but rarely do they find the keys to a strangerโs room. The story is simple: I booked a room at Hotel Z.
I checked in at a bank of self-service tablets and encoded my keycard. I wandered a maze of grey corridors, located the room, and tapped the reader; greenlight: I'm in. Near six hours on a coach had left me bursting. I pushed the door open, then stopped dead. A stranger's suitcase sat on the floor, a jacket slung over the bed. A mix of confusion and panic set in immediately: had I accidentally booked a shared hostel room? I checked the luggage tag and froze; it bore my full name.
A quick, confused return to the lobby and a conversation with an equally confused human receptionist this time revealed the catastrophe: I was in the wrong hotel entirely, but another guest with my exact name was staying here, and the machine had blindly issued me his key. (Confession: I did use their bathroom before leaving)
An Autopsy
Standing in the lobby, my security brain kicked into gear. This wasn't just a mix-up; it was a vulnerability. I had bypassed the system simply by existing.
Letโs look at where the logic broke down:
- The Username: My name. Hardly a unique identifier.
- The Glitch: The tablet likely ran a lazy query: find the first match for my name and grant access.
- The Missing Link: The system skipped the "password". It never asked for a booking reference, email, or ID to verify I was the right version of me.
- The Result: Total failure. The machine prioritised convenience over basic safety.
Relying on one weak data point rendered the system defenceless. It's the physical equivalent of your phone unlocking to a picture of you.
Security by Design
We often mistake a sleek interface for a secure system. The rows of tablets looked modern, but the underlying logic was archaic. It prioritised a frictionless experience over verification.
By removing the "awkward" steps of checking IDs and confirming dates, the developers removed the security itself. A shared name should not be enough to dismantle your system.
Be careful out there vibe coders...
UPDATE
I returned months later. The hotel appears to have patched this. Wonder if I influenced that...