Igor Baikalov, chief scientist at Securonix (www.securonix.com), provided the following analysis of reports of a powerful flaw in the Hilton Hotels site that lets anyone hijack a Hilton Honors account just by knowing or guessing its valid 9-digit Hilton Honors account number.
It seems there are at least three common vulnerabilities on the website:
- Forced Browsing, where attacker can manipulate request parameters to access other user resources due to predictable resource location and lack of session validation;
- Account Harvesting, that allows enumeration of possible valid PIN values through unsecured page;
- Broken Authentication and Session Management, that permits sensitive operations (like password reset) without re-vaidating user session.
These three have been on the Top 10 list of web application vulnerabilities for well over a decade, and should have been discovered in any security assessment in minutes. Based on apparent lack of security oversight of the website development, competent pen-tester should be able to find quite a bit more issues, even with just using automated tools for vulnerability assessment.
Judging from a trivial nature of vulnerabilities discovered so far, it’s unlikely that Hilton Honors has any kind of comprehensive monitoring of user activities; therefore, figuring out how many times this flaw has been exploited would take a lot of digging through the log files.
Until the company proves that it takes security seriously, Honors users should be wary of potential manipulation of their account data, as well as of the risk of identity theft based on the information in their Honors profile.
About Securonix