UK-based hotel booking website HotelHippo has been taken offline after a casual examination by security expert uncovered an extraordinary catalogue of security problems including leaking customer data to the Internet.
The most egregious issue discovered by Scott Helme was undoubtedly that the site created an unsecured booking reference number in the URL in advance of payment. This allowed anyone, including people not logged into an account or authenticated in any way, to access previous customer bookings simply by changing the digits.
Helme was able to access the booking information for other customer transactions.
“It turns out you can start walking backwards through the booking reference numbers, which are sequential, and pull out the data associated with each one!” said an astonished Helme in a blog.
It is not clear that doing this would leak credit card data, but accessible information included a subject's name, address and post code, he said.
There were other problems. The certificate for the site – the part that guarantees SSL security – was for the wrong site despite the fact that 'https' appeared to be in operation for the main domain. HotelHippo even displayed a “COMODO – Authentic & Secure” badge on a page served over HTTP.”
To top it off, the site supported SSL TSL1.0 rather than the TLS 1.1 or 1.2, the latter having been around since 2008. Helme also found an SQL injection flaw afflicting the site.
“The worst thing is that the above issues actually place the site in breach of PCI compliance, meaning they shouldn’t be accepting credit card data at all! The requirements of PCI compliance are clearly outlined and there’s no reason for a vendor such as these to be non-compliant.”
Perhaps the subtlest security problem of all was simply the way the lax site configuration would have allowed any search engine crawler to index the insecure private data. A search on Google confirmed this; the bookings made through the site were accessible via the sort of Google search any criminal would use an automated tool to track down.
Some of the issues uncovered by Helme are far from new and might even be where a number of infamous data breaches of recent years originated. The level of security misconfiguration uncovered is still extraordinary by any standards.
Helme said in comments to the BBC that he’d contacted the site and had no response to his concerns. HotelStayUK (which owns HotelHippo) managing director Chris Orrell denied any knowledge of the warnings.
As of 2 July, the site remains down for “site maintenance” and one can only assume the developers will have to rebuild the site from scratch.
The Information Commissioner Office (ICO) confirmed that it is looking into the report.