A move to improve online security by Hilton Hotels’ Hilton HHonors loyalty program resulted in exposing customer information in all accounts to potential cybertheft, Krebs on Security reported on Monday (March 23).
The security hole, which has now been closed, would allow a thief to have loyalty points converted to cash in the form of prepaid debit cards, as well as see loyalty customers’ names, addresses, email addresses and the last four digits of any payment card on file. A thief could also do anything that a legitimately logged-in loyalty customer could do.
Ironically, the purpose of the special page containing the security hole was apparently to get customers to change their passwords from four-digit pins to more conventional passwords. Use of the PINs was blamed last year for a spike in Hilton loyalty account takeovers, in which customers logged in to find that thieves had cashed out or used their award points.
Hilton HHonors Awards was offering 1,000 free awards points to customers who made the change voluntarily before April 1, when a password change will be mandatory for anyone logging in.
However, JB Snyder and Brandon Potter, two researchers from security firm Bancsec, discovered that once they had legitimately logged into a Hilton HHonors account, they could make minor changes to the site’s HTML content and then reload the page to hijack any other Hilton loyalty account if they knew the account number. They also discovered that the Hilton website’s PIN reset page would let them confirm whether any nine-digit number was a valid account number.
Hilton shut down the page within hours after being alerted to the problem by security reporter Brian Krebs, and later relaunched it with the problem fixed.
“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” the hotel chain told Krebs in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.”
Hilton didn’t say whether any customers reported having their accounts breached by thieves before the vulnerability was closed.