Igor Baikalov, chief scientist at Securonix (www.securonix.com), provided the following analysis of reports of a powerful flaw in the Hilton Hotels site that lets anyone hijack a Hilton Honors account just by knowing or guessing its valid 9-digit Hilton Honors account number.
It seems there are at least three common vulnerabilities on the website:
- Forced Browsing, where attacker can manipulate request parameters to access other user resources due to predictable resource location and lack of session validation;
- Account Harvesting, that allows enumeration of possible valid PIN values through unsecured page;
- Broken Authentication and Session Management, that permits sensitive operations (like password reset) without re-vaidating user session.
These three have been on the Top 10 list of web application vulnerabilities for well over a decade, and should have been discovered in any security assessment in minutes. Based on apparent lack of security oversight of the website development, competent pen-tester should be able to find quite a bit more issues, even with just using automated tools for vulnerability assessment.
Judging from a trivial nature of vulnerabilities discovered so far, it’s unlikely that Hilton Honors has any kind of comprehensive monitoring of user activities; therefore, figuring out how many times this flaw has been exploited would take a lot of digging through the log files.
Until the company proves that it takes security seriously, Honors users should be wary of potential manipulation of their account data, as well as of the risk of identity theft based on the information in their Honors profile.
Securonix is working to radically transform all areas of data security with actionable security intelligence. Our purpose-built advanced security analytics technology mines, enriches, analyzes, scores and visualizes customer data into actionable intelligence on the highest risk threats from within and outside their environment. Using signature-less anomaly detection techniques that track users, account, and system behavior Securonix is able to automatically and accurately detect the most advanced data security and fraud attacks. Globally customers are using Securonix to address the most basic and complex needs around threat detection and monitoring, high privileged activity monitoring, enterprise and web fraud detection, application risk monitoring, and access risk management. For more information visit www.securonix.com.