Hotel booking site taken down over data breach fears

HotelHippo has been taken offline after security expert finds various flaws in its IT systems

Internet search

A hotel booking site has been condemned by a security expert after leaving users personal details easily accessible to hackers.

Scott Helme, an information security consultant, uncovered several flaws in the HotelHippo site while trying to book accommodation for a trip to the Lake District.

They included the presence of an SQL injection vulnerability on the site, as well as PCI compliance breaches and HTTPS configuration issues.

More alarmingly, Helme also uncovered while making a booking through the site that he could view and retrieve details about other people who have used the service in the past.

"It turns out you can start walking backwards through the booking reference numbers, which are sequential, and pull out the data associated with each one," he wrote in a blog post.

Hey presto, you've bagged yourself some credit card data with minimal effort.

He was able to test this out further by creating several bookings featuring fake credit card data, which he stressed was information that was irretrievable when pulling out other people's bookings.

"Just a little further down the page are things like my name, address and post code. It's really not ideal that this information is leaked, but not quite as critical as it would be if my credit card data was going out the window with it," he explained.

Once a booking is made, the site then emails users confirmation of the transaction, which Helme discovered could potentially provide cyber criminals with the ammunition needed to launch a convincing phishing attack.

The email contains a download link for users that want to save a copy of their booking details, and once again by simply altering the booking number within the URL, Helme said it's possible to pull up information about other people's bookings.

"At this point, an attacker has everything they could possibly need to launch a highly effective phishing attack against a user, " as the email details their home address, phone number, hotel stay and details about when they're planning to be away

"It's pretty easy to easy to look up a phone number and place a very convincing phone call to the customer," he continued.

"From here, they simply explain there was an issue with the card payment, they know the exact amount, and ask for card details over the phone to avoid having to cancel the booking.

"Hey presto, you've bagged yourself some credit card data with minimal effort."

Access to this kind of data could also pave the way for burglaries, Helme goes on to warn, as unsavoury types can easily dig out details about where customers live and bag confirmation of when their houses are likely to be empty.

Helme claims to have notified the St. Albans-based firm behind the site about these security holes on 25 June, but said it wasn't until he got the BBC involved that action was taken.

At the time of writing HotelHippo was offline.

In a statement to the BBC, HotelStayUK HotelHippo's operator said the site was taken down so that it could take "urgent action" to patch the aforementioned security holes.

"Privacy of customer data is our prime concern, and we are committed to ensuring this safety," the statement reads.

Meanwhile, the Information Commissioner's Office has confirmed that it has launched an investigation into the site.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021