http://arstechnica.com/security/2015...mbers-account/
Hilton Hotels & Resorts has patched a gaping hole in its website that let anyone with a Hilton Honors account hack another account simply by knowing or guessing its 9-digit number. [...]
After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address, and the last four digits of any credit card on file. [...]
Ironically, the vulnerability was discovered through a recent Hilton campaign that awarded 1,000 free awards points to people who changed their online password prior to April 1, after which the change was to become mandatory.
After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address, and the last four digits of any credit card on file. [...]
Ironically, the vulnerability was discovered through a recent Hilton campaign that awarded 1,000 free awards points to people who changed their online password prior to April 1, after which the change was to become mandatory.
Comment