Cybersecurity professionals voiced concerns about vulnerabilities in the website system for Hilton Honors, the global hotel chain's loyalty program. The weakness could have opened the door to theft of personal information.
The flaw has been fixed, according to Hilton.
Brian Krebs, a digital security expert, has blogged today:
"The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder, respectively, at security consulting and testing firm Bancsec. The two found that once they’d logged into a Hilton Honors account, they could hijack any other account just by knowing its account number.
All it took was a small amount of changing the site’s HTML content and then reloading their Web browser."
The potential flaw with the site would have granted automated "all-access request for other sites" to a user once a user was logged in. The opened the way to cross site request forgery (CSRF). This hacker tactic transmits unauthorized commands from a user that a site trusts, fooling a site into giving access to others' accounts.
The hotel chain didn't say if this method was used to obtain personal information. But last November, as Tnooz reported, there had been a spike of hacker attacks on loyalty program accounts, including on Hilton HHonors.
Hilton has asked its HHonors Awards members to change their passwords. But having access to passwords wasn't necessary for the technique. Ken Westin, a security analyst from Tripwire, a security software company in Portland, Oregon, says:
"The standard industry data security assessments known as PCI DSS does not apply to these loyalty program systems, even though these points can be exchanged for goods and services.
By not putting the same level of due care in securing these loyalty programs airlines and hotels risk hurting their brand and losing the loyalty of dedicated customers."
Cross-Site Request Forgery (CSRF) in Plain English
Krebs on Security: Hilton Honors Flaw Exposed All Accounts
Ongoing: Hilton’s loyalty program hackers continue selling account access
Mandarin Oriental: Undetectable malware stole our credit card data
NB: Image courtesy of shanputnam/Flickr via Creative Commons.