An application available on an unsecured website included credentials that could have allowed compromising consumer-facing Uniguest kiosks. The tool could be downloaded by anyone accessing a subdomain created for hosting programs used by company technicians. Using the hardcoded credentials and the open-source SOAPUI tool to connect to the API, security researchers at Trustwave say that they could have gleaned “all the data”” in the database accessed this way. The company has placed the website behind an authentication portal and disabled the API credentials.”
Source: https://www.bleepingcomputer.com/news/security/hotel-kiosks-could-be-unsafe-due-to-exposed-keys-in-tech-tool/