An infosec consultant looking to book a hotel via HotelHippo.com, owned by HotelStayUK, has ultimately discovered that the website is definitely not to be trusted with private and card information, even though it sports the “COMODO – Authentic & Secure” trust seal.
The site has many problems, but the one that he considers the biggest one is the fact that the reference numbers assigned to each booking are sequential and therefore predictable, and that simply putting them in the URL can allow anyone to check out details of a previously made booking, which also contains the customer’s name, address, and so on.
Once the booking is completed, the user receives a confirmation email that contains a link to the booking information so he or she can save a copy (click on the screenshot to enlarge it):
Unfortunately, the booking reference number is found in the URL again, and simply changing it to leads to information about other customers’ bookings.
“At this point, an attacker has everything they could possibly need to launch a highly effective phishing attack against a user,” Scott Helme explained in a blog post. “With name and address details it’s pretty easy to look up a phone number and place a very convincing phone call to the customer.”
Armed with all the specific details of the booking, the attacker can impersonate a Hotel Hippo employee, lie that there was an issue with the card payment, and ask for card details over the phone to avoid having to cancel the booking.
Another danger that the customers are exposed to is potential burglary, as an attacker knows where they live and when they will be away from home.
The site has also other issues such as being vulnerable to SQL Injection, using insecure cipher suites to encrypt the payment details, which is in violation of PCI compliance, and more.
Helme claims that he notified the owners of the site about the problems repeatedly, but that he was ignored.
“It wasn’t until things escalated to having the BBC involved that HoteHippo took action,” he noted.
The website is now offline (“down for maintenance”) and is to be expected that the problems will be fixed.
“It shouldn’t have to get so far before companies start taking responsible disclosures seriously,” Helme pointed out. “This is a common issue that I see when making any responsible disclosure and it’d be nice to see companies taking these things on board.”