Expert slams HotelHippo booking website after finding multiple security woes

Site ignored leaking data complaint until BBC contacted

UK-based hotel booking website HotelHippo has been taken offline after a casual examination by security expert uncovered an extraordinary catalogue of security problems including leaking customer data to the Internet.

The most egregious issue discovered by Scott Helme was undoubtedly that the site created an unsecured booking reference number in the URL in advance of payment. This allowed anyone, including people not logged into an account or authenticated in any way, to access previous customer bookings simply by changing the digits.

Helme was able to access the booking information for other customer transactions.

"It turns out you can start walking backwards through the booking reference numbers, which are sequential, and pull out the data associated with each one!" said an astonished Helme in a blog.

It is not clear that doing this would leak credit card data, but accessible information included a subject's name, address and post code, he said.

There were other problems. The certificate for the site - the part that guarantees SSL security - was for the wrong site despite the fact that 'https' appeared to be in operation for the main domain. HotelHippo even displayed a "COMODO - Authentic & Secure" badge on a page served over HTTP."

To top it off, the site supported SSL TSL1.0 rather than the TLS 1.1 or 1.2, the latter having been around since 2008. Helme also found an SQL injection flaw afflicting the site.

"The worst thing is that the above issues actually place the site in breach of PCI compliance, meaning they shouldn't be accepting credit card data at all! The requirements of PCI compliance are clearly outlined and there's no reason for a vendor such as these to be non-compliant."

Perhaps the subtlest security problem of all was simply the way the lax site configuration would have allowed any search engine crawler to index the insecure private data. A search on Google confirmed this; the bookings made through the site were accessible via the sort of Google search any criminal would use an automated tool to track down.

Some of the issues uncovered by Helme are far from new and might even be where a number of infamous data breaches of recent years originated. The level of security misconfiguration uncovered is still extraordinary by any standards.

Helme said in comments to the BBC that he'd contacted the site and had no response to his concerns. HotelStayUK (which owns HotelHippo) managing director Chris Orrell denied any knowledge of the warnings.

As of 2 July, the site remains down for "site maintenance" and one can only assume the developers will have to rebuild the site from scratch.

The Information Commissioner Office (ICO) confirmed that it is looking into the report.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Personal TechHotelHippo

More about BBC Worldwide AustralasiaGoogleICOScott Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts