Hilton member accounts info, trip dates open to plunder

A pair of security researchers have found a basic flaw that allows anyone to steal email and home address information, trip data, and spend points of Hilton Worldwide "HHonors" loyalty club members.

The cross-site request forgery is tied to a password reset initiative the company launched offering 1000 points to those who took part. That campaign may have followed a flood of Hilton HHonors points being sold on underground markets following brute force attacks.

Cybercrime reporter Brian Krebs revealed the flaw discovered by Bancsec hacker duo Brandon Potter and JB Snyder.

The pair says attackers could access customer accounts if they could guess member numbers.

“There are a billion combinations, but this testing on the PIN reset page could be easily automated,” Snyder told KrebsonSecurity.

"If they have so much personal information on people, they should be required to do web application testing before publishing changes to the internet.

“Especially if they have millions of users like I’m sure they do."

Hilton Worldwide patched the vulnerability soon after the bug was disclosed, removing the ability to use four digit PINs and insisting on eight character passwords.

The company says in a statement that Hilton HHonors members should update their passwords, adding the mandatory statement that it "takes security very seriously" and is "committed to safeguarding our guests’ personal information”.

Securonix chief scientist Igor Baikalov says it appears the company lacked security monitoring.

"Judging from a trivial nature of vulnerabilities discovered so far, it's unlikely that Hilton HHonors has any kind of comprehensive monitoring of user activities; therefore, figuring out how many times this flaw has been exploited would take a lot of digging through the log files," Baikalov says.

"Until the company proves that it takes security seriously, HHonors users should be wary of potential manipulation of their account data, as well as of the risk of identity theft based on the information in their HHonors profile."

Baikalov says three distinct flaws appeared to exist on the site, including forced browsing, account harvesting, and broken authentication.

The first flaw allows attackers to access user resources due to predictable resource location and lack of session validation; the second allows enumeration of possible valid PIN values, and the third exposes password resets and the like without re-validating user sessions.

"These three have been on the (OWASP) Top 10 list of web application vulnerabilities for well over a decade, and should have been discovered in any security assessment in minutes," Baikalov says.

Tripwire senior security analyst Ken Westin says access to high profile executives and politician's customers’ travel history could be valuable to attackers. ®