Modernizing Authentication — What It Takes to Transform Secure Access
After a security researcher uncovered several security flaws in the British hotel booking site HotelHippo.com, website owner HotelStayUK says the site has been permanently shut down (h/t Graham Cluley).
"Our investigations showed that just 24 customers were affected by the issues with HotelHippo," the company said in a statement. "This was a small, very little-used site. But for even one customer, it is obviously completely unacceptable and we are very sorry. We have therefore contacted all these customers and have offered them compensation."
Customers with questions are advised to contact the company at 08446 606 007.
Despite the fact that all other sites run by HotelStayUK apparently use a different login process, the company says it has taken all of its sites down one by one "to put them through rigorous testing by independent experts to ensure their safety and security," and plans to continue to do so on a regular basis.
On July 1, 2014, security researcher Scott Helme reported in a blog post that he'd visited HotelHippo to book a hotel in the Lake District, but quickly came across several worrying vulnerabilities in the site.
"Right off the bat we land at the Hotel Hippo home page and are greeted with a 'COMODO -- Authentic & Secure' badge on a page served over HTTP," Helme wrote, adding that the site's security certificate had been issued for afternoonteafortwo.co.uk, not for HotelHippo.
When he arrived at the payment screen, Helme noticed that his booking reference number was visible in the URL, writing, "Surely though, you wouldn’t be able to change that number and retrieve the details from other booking reference numbers, right? You must create an account further down the line and have to be authenticated to retrieve this data, right?"
Unfortunately, Helme found that he could easily walk backwards through the sequential booking reference numbers and view all data associated with each one.
"At this point, an attacker has everything they could possibly need to launch a highly effective phishing attack against a user," Helme wrote. "With name and address details it’s pretty easy to look up a phone number and place a very convincing phone call to the customer."
And those were just a few of the security flaws Helme uncovered.
This is yet another example of Internet security issues having significant ramifications for companies -- just over two weeks ago, the code hosting service Code Spaces was also permanently shut down, in this case following a multi-stage cyber attack. An attacker gained access to Code Spaces' Amazon EC2 control panel and deleted most of the company's data, backups, machine configurations and offsite backups.
Photo courtesy of Shutterstock.