UK Hotel Booking Site VulnerableSecurity Researcher Identifies Several Security Flaws
UK hotel reservation site HotelHippo.com has taken itself offline following a blog post from a security researcher detailing several data security vulnerabilities.
"We are currently undergoing urgent site maintenance," a message on HotelHippo.com reads.
While booking a hotel through the website, Helme discovered that it was possible to obtain individuals' names, addresses and postal codes from past orders by manipulating the booking reference number in the URL. Another vulnerability: not authenticating access to confirmation details sent to a customer's e-mail.
"The e-mail contains a link for you to download your booking information, so I dutifully clicked on it to download and save a copy of my details," Helme says. When he visited the URL, he saw there was no authentication for the link, which contained information on the hotel he was staying at, the dates of his visit, the amount spent on the room and other details.
The confirmation details link also contained reference numbers in the URL which could be changed to show past customers' details. "At this point, an attacker has everything they could possibly need to launch a highly effective phishing attack against a user," Helme says.
"I notified HotelHippo of the issues ... on several occasions ... and it wasn't until things escalated to having the BBC involved that HotelHippo took action," Helme says. "Whilst I have to applaud them for taking the affected areas of the site offline at that time, it shouldn't have to get so far before companies start taking responsible disclosures seriously."
HotelHippo did not respond to a request for additional information.
The UK Information Commissioner's Office opened an investigation into the incident, the BBC reports. "We will be looking into the matter to establish the full details," a spokesperson told the news site.