In a bid to increase account security and discourage the use of unsecure four-digit PINs, Hilton Hotels & Resorts recently offered its Hilton HHonors award scheme members 1,000 free HHonors Points if they changed their passwords before April 1, 2015. Ironically, the campaign had the opposite effect: anyone resetting their password could hijack any other Hilton HHonors account just by knowing or guessing its nine-digit account number.
Brian Krebs reports that Brandon Potter and JB Snyder of Bancsec discovered the cross-site request forgery (CSRF) vulnerability. It allowed hackers to “do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.”
Mr Krebs informed Hilton of the vulnerability, which acted quickly to fix it. “Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.”
If you’re concerned about your organization’s susceptibility to attack, you’ll be interested in IT Governance’s penetration testing packages. Designed to identify vulnerabilities and provide remedial measures that you can take to secure your systems, they provide a complete solution for the routine security testing of your websites and IT systems to ensure that your networks and applications remain secure against cyber attacks.