Bancsec security researchers Brandon Potter and JB Snyder recently discovered a security flaw in Hilton‘s website that allowed an attacker to access any Hilton HHonors account simply by knowing or guessing the account number, according to investigative reporter Brian Krebs.
Potter and Snyder found that once they’d logged into a Hilton HHonors account, they could hijack any other account just by changing the site’s HTML content to reflect the other account number, then reloading the page.
At that point, an attacker could do anything a legitimate account holder could do, including changing the account password, viewing past and upcoming reservations, accessing the account holder’s personal information, and redeeming HHonors points for travel, hotel reservations or cash.
The issue, Snyder said, stemmed from a common flaw called a cross-site request forgery (CSRF) vulnerability. In this case, the vulnerability was particularly dangerous because Hilton didn’t require logged-in users to re-enter their current passwords before choosing new ones.
“If they have so much personal information on people, they should be required to do Web application testing before publishing changes to the Internet,” Snyder told Krebs. “Especially if they have millions of users like I’m sure they do.”
To test the vulnerability, Krebs provided Potter and Snyder with his account number — in response, they provided him with screenshots of his account pages within seconds.
The timing of the revelation is particularly unfortunate, as Hilton recently began offering 1,000 free awards points to anyone who changed their passwords online before April 1, 2015.
“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton said in a statement emailed to Krebs. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution.”
“Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information,” the company added.
Krebs reports that the flaw now appears to be fixed, though password changes still don’t require users to re-enter their existing passwords.
“As this latest gaping hole in a major Web site shows, it is impossible to configure every system and network device perfectly,” RedSeal chief evangelist Steve Hultquist told eSecurity Planet by email. “There are too many opportunities for error, and those errors hide in plain site within the complexity of modern systems, applications, and networks. Every organization needs to have automated analysis determining all of the possible ways that their network and systems could be attacked, before the attackers strike.”
“To only wait for an active attack is to hide from the truth that there are paths that can be exploited,” Hultquist added.