A major flaw has been found in the Hilton Hotels site that lets anyone hijack a Hilton Honors account just by knowing or guessing its valid 9-digit Hilton Honors account number.
The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder, respectively, at security consulting and testing firm Bancsec. The two found that all it took to hack an account with the number is a small amount of tweaking to the site’s HTML content and then reloading the page. It was a cross-site request forgery (CSRF) vulnerability, where a web browser is made to perform an unwanted action on a trusted site for which the user is currently authenticated.
Independent security researcher Brian Krebs laid out the dangers. Hackers can perform a variety of actions, including “changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts,” he explained. “The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.”
Igor Baikalov, chief scientist at Securonix said in an email that it looks as though there are at least three common vulnerabilities on the website, all of them easily uncovered and fixed:
Forced Browsing, where an attacker can manipulate request parameters to access other user resources due to predictable resource location and lack of session validation;
Account Harvesting, that allows enumeration of possible valid PIN values through unsecured page;
Broken Authentication and Session Management, that permits sensitive operations (like password reset) without re-validating the user session.
“These three have been on the Top 10 list of web application vulnerabilities for well over a decade, and should have been discovered in any security assessment in minutes,” Baikalov said. “Based on apparent lack of security oversight of the website development, competent pen-tester should be able to find quite a bit more issues, even with just using automated tools for vulnerability assessment.”
Hilton told Krebs that it had fixed the issue, but Baikalov also added that given the lack of security oversight in evidence, it’s likely that the CSRF flaw has been exploited without detection.
“Judging from a trivial nature of vulnerabilities discovered so far, it's unlikely that Hilton HHonors has any kind of comprehensive monitoring of user activities,” he said. “Therefore, figuring out how many times this flaw has been exploited would take a lot of digging through the log files.”
Until the company proves that it takes security seriously, HHonors users should be wary of potential manipulation of their account data, as well as of the risk of identity theft based on the information in their HHonors profile,” Baikalov said.