Hilton HHonors Site Flaw Exposed All Accounts To Potential Hijacking

Following a report of a spike in hijacked accounts, Hilton recently asked its HHonors Awards members to change their passwords — offering them 1,000 bonus points if they did so before April 1. But cybersecurity experts say that hackers didn’t actually need passwords to take control of other folks’ HHonors accounts.

KrebsOnSecurity.com reports that researchers at security consulting and testing firm Bancsec discovered that the only thing needed to take over an HHonors account was a user’s 9-digit account number. If the hacker logged in using one account, they could hijack a different account by tinkering with the HTML and then reloading.

Bancsec says the HHonors site had what’s known as a cross-site request forgery (CSRF) vulnerability, which basically allows an authenticated user to perform an unwanted action on a trusted site.

Once the hijacker accessed the other person’s account, they were free to view travel itineraries, redeem or transfer HHonors points. Another flaw in the Hilton site allowed hijackers to change account passwords without having to first enter the current password.

They also had access to the user’s personal info like e-mail addresses, mailing addresses, and partial credit card numbers.

Some holders of HHonors accounts had seen their hard-earned rewards drained by hijackers who would take control of these accounts and redirect any alerts to new e-mail addresses. The points could be used to book travel or sold to third parties.

It was believed that hackers were brute-forcing their way into accounts by running scripts that repeatedly entered combinations of account numbers and 4-digit PINs until getting in, but this latest discovery seems to indicate that there was a way in that didn’t require as much work.

Krebs notified Hilton about the flaw found by Bancsec and it appears as if the hotel chain has plugged this particular hole.

“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” reads a statement from the company. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.”

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.