Last Monday we discovered that the Hilton’s website was affected by a flaw that allowed for anyone that had an Honors account to hack into another account by just guessing a 9-digit number.
The attackers could enumerate Hilton Honors account numbers using the company’s Web site, which relies on a PIN reset page that could be used the validity of any attempt for 9-digit number.
To better analyze the event, we must consider that lately Hilton was warning its users that they were obligated to change their login password, an operation that will be mandatory starting at 1 of April 2015.
The popular investigator Brian Krebs was the first to public disclosed the vulnerability discovered by Brandon Potter and JB Snyder, technical security consultant and founder at security firm Bancsec.
“The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder, respectively, at security consulting and testing firm Bancsec. The two found that once they’d logged into a Hilton Honors account, they could hijack any other account just by knowing its account number. All it took was a small amount of changing the site’s HTML content and then reloading the page.” wrote Krebs in a blog post.
The experts discovered that any authenticated users could impersonate any another account by knowing its account number.
” changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts.” reported Krebs.
Besides the mentioned above, this flaw also exposed customer’s personal information, including email address, physical address and the last 4 digits of the saved credit card.
In the meanwhile, the flaw was fixed and there is no more news about it, but Krebs verified it with the support of the researchers using his personal account.
Hilton issued an official statement confirming the presence of the vulnerability:
“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” reads a statement from the company. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.”
The researchers explained that the Hilton website was affected by a CSRF (cross-site request forgery) vulnerability that could be exploited by attackers to take over a victim’s account and impersonate it. In the case of Hilton website the situation was more serious because the company didn’t require logged-in users that want to change their password to provide the current one, making the flaw “open” to everyone to exploit it.
One of the experts criticized the low level of security implemented by the Hilton to protect personal information of its customers.
If they have so much personal information on people, they should be required to do Web application testing before publishing changes to the internet,” Snyder said. “Especially if they have millions of users like I’m sure they do.”
About the Author Elsio Pinto
(Security Affairs – Hilton, hacking)