Flaw in Hilton Honors website left all customer accounts wide open
The discovery of a vulnerability in the Hilton HHonors website that could lead to account hijacking and information theft has put a temporary stop to Hilton Hotels & Resorts’ attempt to induce customers to improve their account security.
The company has recently offered 1,000 free Hilton HHonors Awards points to its members if they change their password, i.e. PIN, before April 1, 2015, when the change becomes mandatory.
It is believed that this was an attempt to improve account security, as the site no longer allows users to use a 4-digit PIN as the password. Instead, they are instructed to choose a password consisting of 8 characters or more, and containing at least one uppercase letter, one number or a special character.
The cross-site request forgery (CSRF) flaw was discovered by Brandon Potter and JB Snyder of security consultancy firm Bansec. As they demonstrated to Brian Krebs, once they have accesses a Hilton Honors account (for example, their own), they could access any other account by simply tweaking the site’s HTML and reloading the page.
The would need to know the account number of the target, or just test random 9-digit numbers on the site’s PIN reset page to see if they have guessed one, and all the contents of the account in question would be at their fingertips: the account holder’s name, email address, physical address, the last four digits of the payment card they associated with the account, their past hotel reservations, and more.
Finally, they can effectively hijack the account by choosing to change the account password, as the site didn’t ask logged-in users to re-enter their current passwords before picking a new one.
These issues seem to have been fixed in the meantime, and users are once again able to access their accounts, change their passwords and claim the free awards points.