Help Net Security has reported that a information given to the online hotel booking site HotelHippo.com by customers can be easily accessed by anybody. HotelHippo is owned by the United Kingdom based HotelStayUK and the website has a COMODO – Authentic & Secure seal on it. Help Net blog reports that an security consultant looking to book a hotel via HotelHippo.com has discovered that the website is definitely not to be trusted with private and card information due to a silly mistake on part of the webmaster of the website.
The consultant reports that the reference numbers assigned to each booking are sequential and therefore predictable, and that simply putting them in the URL can allow anyone to check out details the hotel customer who has previously made a booking. Once you get the URL you can pretty much get all the details belonging to the customer like name, address, email address and so on.
A user books a hotel room via HotelHippo he/she receives confirmation email containing the link giving the details of booking. The URL itself contains the booking reference number which contains all your details. Simply changing the booking reference number will give you full information about other customers.
“At this point, an attacker has everything they could possibly need to launch a highly effective phishing attack against a user,” Scott Helme explained in a blog post. “With name and address details it’s pretty easy to look up a phone number and place a very convincing phone call to the customer.”
Once you have these details, anybody can easily impersonate as Hotel Hippo employee and contact the person through the email id or phone number in the booking details and make a phishing attempt to get banking credentials or even ask them to make payments. The hacker can even get the customers physical address and use it for potential break in.
According to Help Net security the site is also vulnerable to SQL Injection besides using insecure cipher suites to encrypt the payment details of customers. In such case, the site can be hacked any moment by cyber criminals