UK Hotel Booking Site Vulnerable

Security Researcher Identifies Several Security Flaws
UK Hotel Booking Site Vulnerable

UK hotel reservation site HotelHippo.com has taken itself offline following a blog post from a security researcher detailing several data security vulnerabilities.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

"We are currently undergoing urgent site maintenance," a message on HotelHippo.com reads.

The potential flaws on the site were discovered by Scott Helme, an information security consultant at Pentest Limited, which specializes in web application security and penetration testing services.

While booking a hotel through the website, Helme discovered that it was possible to obtain individuals' names, addresses and postal codes from past orders by manipulating the booking reference number in the URL. Another vulnerability: not authenticating access to confirmation details sent to a customer's e-mail.

"The e-mail contains a link for you to download your booking information, so I dutifully clicked on it to download and save a copy of my details," Helme says. When he visited the URL, he saw there was no authentication for the link, which contained information on the hotel he was staying at, the dates of his visit, the amount spent on the room and other details.

The confirmation details link also contained reference numbers in the URL which could be changed to show past customers' details. "At this point, an attacker has everything they could possibly need to launch a highly effective phishing attack against a user," Helme says.

"I notified HotelHippo of the issues ... on several occasions ... and it wasn't until things escalated to having the BBC involved that HotelHippo took action," Helme says. "Whilst I have to applaud them for taking the affected areas of the site offline at that time, it shouldn't have to get so far before companies start taking responsible disclosures seriously."

HotelHippo did not respond to a request for additional information.

The UK Information Commissioner's Office opened an investigation into the incident, the BBC reports. "We will be looking into the matter to establish the full details," a spokesperson told the news site.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.