14 DAY TRIAL // Recently, the website for the HotelHippo hotel booking service has been taken offline to remedy some security risks that caused leaking of customer information.
Security consultant Scott Helme found a myriad of security flaws when trying to book a hotel room through HotelHippo.com, owned by HotelStayUK.
The flaws he observed would allow a cybercriminal to extract customer data regarding the hotels booked by a potential victim, the duration of the stay, the rooms reserved, and the number of persons they would be traveling with.
All this information could be obtained despite the secure connection it was provided through. The flaw consisted in the fact that the secure URL address contained the booking reference number, which was created sequentially.
Loading the page with a changed number offered access to the aforementioned booking details of other customers.
It appears that the reference number was also present in the link with payment details, which provided the name of the customer, along with the billing address.
The security flaws go even further, as Helme discovered that the booking information sent in the confirmation link is received via an insecure connection.
The details available included the hotel booked, the cost of the rooms, the number of rooms and customers, as well as check-in and check-out dates.
However, the worst of all was the fact that the booking reference number was also present in the link, which allowed pulling out all this information from other customers, too.
With all these details at their disposal, cybercriminals can run phishing attacks on the victim in order to get credit card information, or they can plot a burglary, since they know the exact address and the time interval the owners are gone.
Helme also checked if the website administrators had enforced protection against crawling agents that index information, such as the one from Google. It turns out that the robots.txt file did not impose any restriction, and crawlers could move freely on any area of the website, indexing even information that was supposed to be private.
The security consultant ran a Google search, which revealed a link to payment details containing a booking reference number.
Scott Helme contacted HotelHippo via phone and email on June 25, as soon as he found the security flaws, but the company representatives did not reply.
The website was taken offline only after the company was contacted by the BBC about the security measures.
“Whilst I have to applaud them for taking the affected areas of the site offline at that time, it shouldn’t have to get so far before companies start taking responsible disclosures seriously,” said Helme.