Expert slams HotelHippo booking website after finding multiple security woes

Site ignored leaking data complaint until BBC contacted

UK-based hotel booking website HotelHippo has been taken offline after a casual examination by security expert uncovered an extraordinary catalogue of security problems including leaking customer data to the Internet.

The most egregious issue discovered by Scott Helme was undoubtedly that the site created an unsecured booking reference number in the URL in advance of payment. This allowed anyone, including people not logged into an account or authenticated in any way, to access previous customer bookings simply by changing the digits.

Helme was able to access the booking information for other customer transactions.

"It turns out you can start walking backwards through the booking reference numbers, which are sequential, and pull out the data associated with each one!" said an astonished Helme in a blog.

It is not clear that doing this would leak credit card data, but accessible information included a subject's name, address and post code, he said.

There were other problems. The certificate for the site - the part that guarantees SSL security - was for the wrong site despite the fact that 'https' appeared to be in operation for the main domain. HotelHippo even displayed a "COMODO - Authentic & Secure" badge on a page served over HTTP."

To top it off, the site supported SSL TSL1.0 rather than the TLS 1.1 or 1.2, the latter having been around since 2008. Helme also found an SQL injection flaw afflicting the site.

"The worst thing is that the above issues actually place the site in breach of PCI compliance, meaning they shouldn't be accepting credit card data at all! The requirements of PCI compliance are clearly outlined and there's no reason for a vendor such as these to be non-compliant."

Perhaps the subtlest security problem of all was simply the way the lax site configuration would have allowed any search engine crawler to index the insecure private data. A search on Google confirmed this; the bookings made through the site were accessible via the sort of Google search any criminal would use an automated tool to track down.

Some of the issues uncovered by Helme are far from new and might even be where a number of infamous data breaches of recent years originated. The level of security misconfiguration uncovered is still extraordinary by any standards.

Helme said in comments to the BBC that he'd contacted the site and had no response to his concerns. HotelStayUK (which owns HotelHippo) managing director Chris Orrell denied any knowledge of the warnings.

As of 2 July, the site remains down for "site maintenance" and one can only assume the developers will have to rebuild the site from scratch.

The Information Commissioner Office (ICO) confirmed that it is looking into the report.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechHotelHipposecurity

More about BBC Worldwide AustralasiaGoogleICOScott Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place