Petronella Blog Archive

Visit our New Blog

Hijacking Hilton HHonors

Blog Post

Hilton Hotels & Resorts just wanted you to change your password. They didn't know that would lead to people find out out they could change other people's passwords... and more.

Hilton offered bonus points to people who changed the password for Hilton Hhonors before April 1, when the were going to mandate a password change. People at Bancsec, a security and testing consulting firm, discovered that with a simple change of the account number in the code of the account page, they could access other accounts as well.

Once the account was accessed, they were able to do anything a legitimate account holder could do, from changing passwords to redeeming reward points to making hotel reservations. They could even transfer points to other accounts and, here's the kicker, cash points in for prepaid debit cards. Cashing in on points aside, the account holder's personal information was also available, including the last four digits of any credit cards attached to the account.

Furthermore, there was no requirement to input an old password in order to update it. Hilton has changed this as well as putting restrictions on passwords to make them more secure. The passwords now have a minimum requirement of eight digits, whereas customers were able to use a four digit PIN before.

These flaws were pointed out to Hilton, who released the following statement:

Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability. As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.