Web Vulnerability Discovered in Hilton Hotel Site
A security flaw was discovered in the Hilton.com website that allowed an attacker to gain access to a client’s account simply by knowing or guessing the account number. Bansec security firm found the flaw at the Hilton HHonors page wherein an attacker could hijack any other account just by changing the site’s HTML content to reflect the other account number, then reloading the page.
After gaining entry, the hijacker could do what any regular account-holder could do, such as view their account details, change their password, redeeming HHonors points for travel, etc.
Hilton Honors Web App Security Flaw
Snyder, one of the Bansec security researchers, mentions on KrebsonSecurity that the issue comes from a common flaw called cross-site request forgery (CSRF) vulnerability. In this scenario, Hilton did not require logged-in users to re-enter their current passwords before choosing new ones. This was reported the hotel chain and the flaws seems to have been fixed.
“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement.
IDOR vs CSRF
Insecure Direct Object Reference vs Cross-Site Request Forgery
We asked IT Security Researcher, Giuseppe Trotta, for his thoughts on the report. He cites that the vulnerability was more of an IDOR than a CSRF.
Generally speaking, a Cross-Site Request Forgery aka CSRF attack requires a kind of interaction between the victim and the attacker. The main idea is to “steal” the user’s authenticated browser state to perform operations on their behalf from the attacker’s website. This can be done in a variety of methods such as sending a malicious link to the victim via email or chat IM.
Reading the article, it’s clear that the researchers didn’t attack all the users of the application directly, but the application itself. Based on this scenario, it falls more on a vulnerability named Insecure Direct Object Reference aka IDOR. This flaw occurs when there are insufficient authorization checks performed against a specific object identifier, in this case the page of the profile.
It would be best if we can have full details of the technical report so we can determine what the web vulnerability is but based on the statements in the report, the web application is the one that’s directly attacked.
Tips to Prevent Web App Attacks
Giuseppe adds a couple of tips to prevent what happened to the Hilton page from happening to your own website.
The tips are always the same:
- Never trust ANY input
- Don’t roll your own authentication mechanism, but if you must, you should seriously consider to implement an authentication enforcement code (i.e. a code that ensures the access to the authenticated resources only to authorized users) in a front controller. In this way, if there is an authentication bypass security problem, you will only need to fix this in a single file.
Web Application Security Course Bundle
Do you want to become a Web Application Penetration Tester expert and learn to fight against common web vulnerabilities? Check out the eLearnSecurity Web Application Security training course bundles! More details here.
Giuseppe Trotta is a security researcher and instructor in eLearnSecurity. He is the main developer of the Hack.me project and he is also involved in the management of Hera lab virtualization infrastructures.