A simple yet powerful flaw exists in the Hilton Honors site, that allows anyone to hijack an account just by knowing or guessing its valid 9-digit Hilton Honors account number.
Researchers found that once they had logged into a Hilton Honors account, they could hijack any other account just by knowing its account number. All it took was a small amount of changing the site’s HTML content and then reloading the page.
After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.
“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.”
Hilton no longer allows users to pick a PIN as a password, and those who try to reset their password after logging in with the their PIN are told to pick a password of at least eight characters in length, containing at least one uppercase letter and a number or special character. Subsequent password changes, however, still do not require users to enter their existing password.
Ken Westin, senior security analyst at Tripwire, said: “We have seen a number of loyalty programs hit by hackers from hotel point programs to air miles. These are a popular target of hackers because although these points are a currency in their own right, they are not secured the same way as cash or credit card data. PCI DSS for example does not apply to these systems, even though these points can be exchanged for goods and services.
“By not putting the same level of due care in securing these loyalty programs airlines and hotels risk hurting their brand and losing the loyalty of dedicated customers. The loss of points is one factor, but there are also security and privacy implications of having access to customers travel history, particularly for high profile executives and politicians.”
FULL STORY