Hilton Honors Web Site Flaw Found and Fixed

I have to both harass and complement Hilton.

Until recently, Hilton was offering Honors members 1,000 points to change their passwords.

First the harassment:

A security staffer at BancSec figured out that you could hijack any other Honors account by guessing or knowing the account number and making a small change to the site’s HTML.

The hacker could then redeem points, change the password and do anything that the hacked user would be able to do.

This might indicate a lack of white hat hacking on Hilton’s part.

And now the complement part:

After being informed, Hilton immediately blocked password changes, effectively stopping, at least, the hijack part of this hack.  Hilton quickly fixed the flaw as well.

This hack, a cross site request forgery attack (see here), exposed some design flaws also.  For example, Hilton did not require you to enter your old password when you changed your password.   If they had, the attackers in this case would not have been able to hijack random accounts because they did not know any of the existing passwords.

Apparently, the 1,000 point reward was designed to speed up the migration from Hilton’s old 4 digit PIN login security to an 8 digit complex password.  The old 4 digit PIN security caused a large number of Hilton Honors accounts to be hijacked last year.  Users will be forced to select a password starting April 1st if they try logging on with their PIN.

by