Hospitality giant Hilton Hotels & Resorts recently started offering Hilton HHonors Awards members 1,000 free awards points to those who agreed to change their passwords for the online service prior to April 1, 2015, when the company said the change would become mandatory. Ironically, that same campaign led to the discovery of a simple yet powerful flaw in the site that let anyone hijack a Hilton Honors account just by knowing or guessing its valid 9-digit Hilton Honors account number.
The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder, respectively, at security consulting and testing firm Bancsec. The two found that once they’d logged into a Hilton Honors account, they could hijack any other account just by knowing its account number. All it took was a small amount of changing the site’s HTML content and then reloading the page.
After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.
I saw this vulnerability in action after giving Snyder and Potter my own Hilton Honors account number, and seconds later seeing screen shots of them logged into my account. Hours after this author alerted Hilton of the discovery, the Hilton Honors site temporarily stopped allowing users to reset their passwords. The flaw they discovered now appears to be fixed.
“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.”
Snyder said the problem stemmed from a common Web application weakness called a cross-site request forgery (CSRF) vulnerability, a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
The CSRF flaw was doubly dangerous because Hilton’s site didn’t require logged-in users to re-enter their current passwords before picking a new one.
“If they have so much personal information on people, they should be required to do Web application testing before publishing changes to the internet,” Snyder said. “Especially if they have millions of users like I’m sure they do.”
Snyder said attackers could easily enumerate Hilton Honors account numbers using the company’s Web site, which relies on a PIN reset page that will tell you whether any 9-digit number is a valid account.
“There are a billion combinations, but this testing on the PIN reset page could be easily automated,” Snyder said.
Hilton no longer allows users to pick a PIN as a password, and those who try to reset their password after logging in with the their PIN are told to pick a password of at least eight characters in length, containing at least one uppercase letter and a number or special character. Subsequent password changes, however, still do not require users to enter their existing password.
It is likely that the offer of 1,000 points for customers who voluntarily changed their passwords before April 1, 2015 was an effort to get more customers to ditch their 4-digit PINs. Hilton’s reliance on a 4-digit PIN to secure customer loyalty accounts was blamed last year for a spike in account takeovers in which customers logged in to find that thieves had cashed out or otherwise stolen their award points.
Many airlines that offer awards programs also still allow customers to log in with nothing more than a member number and a PIN, including Quantas and United.