A cross-site request forgery (CSRF) vulnerability in the website of hotel chain Hilton Worldwide could have inadvertently compromised much of its users’ personal information.
Ironically the since-fixed issue stemmed from a promotion the chain was offering to users if they changed their passwords on a benefits service it runs. As part of the offer, users who changed passwords associated with their Hilton Honors account before April 1 would be given 1,000 free awards points.
According to Krebs on Security, until Hilton fixed a loophole in its system, the same promotion could have let anyone hijack the account of someone who switched his or her password as long as the attacker could guess their nine-digit account number correctly.
By reconfiguring the site’s HTML and reloading the page, attackers could have gleaned additional information, like the customers’ email address, physical address, and the last four digits of any credit card number they may have had on file.
Attackers basically would have had complete access to the person’s account. They could have changed the password associated with it, viewed upcoming and past trips, and allowed them to use the victim’s points to book future trips. The vulnerability could have even let the attackers liquidate the user’s account and funnel their points into prepaid debit cards or into another user’s account.
Researchers Brandon Potter and JB Snyder at the security firm Bancsec logged into Krebs’ Hilton account and forwarded him screenshots as proof they had found a vulnerability. It was only after Krebs contacted the hotel company that it stopped allowing users to reset their passwords and fixed the issue.
“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton Honors website, and we took immediate action to remediate the vulnerability,” Hilton said in statement, according to Krebs.
On top of the CSRF vulnerability, apparently Hilton didn’t enforce users to re-enter their current passwords when changing to a new one. Its site even told users whether each nine-digit number they entered was valid, according to Krebs, something which could have compounded the issue further.
Attackers could have rigged the PIN reset page checker to determine users’ PINs, Snyder told Krebs.
“There are a billion combinations but this… could be easily automated,” Snyder said.
Hilton Hotels did fix the issue and now forbids users from using a PIN as their password. Instead users are prompted to pick a password that consists of at least eight characters, one uppercase, and a number or special character. Users can apparently still change their password without entering their current password however.