Recently, Hilton tried to proactively improve user account security by offering 1,000 points to HHonors members who changed their passwords before April 1. But, that plan unintentionally exposed a serious flaw in the Hilton HHonors website that put every account holder's information and points at risk.
The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder, respectively, at security consulting and testing firm Bancsec. The two found that once they’d logged into a Hilton Honors account, they could hijack any other account just by knowing its account number. All it took was a small amount of changing the site’s HTML content and then reloading the page.
That means anyone with their own Hilton HHonors account could potentially log in to someone else's account if they know the person's account number. Hackers could also set up an automated system to guess account numbers.
Snyder said the problem stemmed from a common Web application weakness called a cross-site request forgery (CSRF) vulnerability, a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
Once inside someone else's account, hackers could change the password, view contact information and access the last four digits of saved credit cards. They could also use points, cash them out or even transfer points to other users.