Password changing is still not completely secure

Mar 23, 2015 09:05 GMT  ·  By

A vulnerability in Hilton Hotels’ website for the HHonors reward program allowed an attacker to hijack any profile based on its account number, which could be easily obtained using the company’s website.

Hilton HHonors is a loyalty program that offers customers the possibility to earn points for discounted or even free lodging services at brands anywhere in the world that are in the hospitality business’ portfolio.

Travel info, personal data and reward points exposed

Reward points can also be managed from the account, customers being able to transfer them to other accounts or to turn them into cash on prepaid cards.

The accounts created by the customers include travel details, such the hotel reservation history, as well as stays scheduled in the future, email and physical addresses, and the last four digits of an associated payment card.

The security weakness was a CSRF (cross-site request forgery) issue, security blogger Brian Krebs learned from the researchers who made the discovery, Brandon Potter and JB Snyder of Bancsec, a cyber-security consultancy company.

The duo said that exploiting the problem could be done by applying some modifications to the HTML code powering the website and then refreshing the page.

Password changing action still not sufficiently protected

The result would be complete access to the account and the possibility to lock the legitimate owner out by changing the log-in password, an action that did not require verification of the old password.

The hospitality company acknowledged the security flaw and repaired it. Incidents taking advantage of this problem have not been reported, but the company recommends its customers to review the information in their accounts and change their passwords on a regular basis, as a precaution.

At the moment, access to the account requires a password of at least eight characters, mixing in upper and lower case letters, and a number or symbol. However, Krebs reports that changing the string can still be done without having to provide the current password, a verification method for proving that the true owner of the account is initiating the modification.