Hilton Hotels & Resorts recently patched a cross-site request forgery (CSRF) vulnerability in its Hilton HHonors Awards system.
The bug allowed Brandon Potter, technical security consultant at Bancsec, and JB Snyder, founder of Bancsec, to hijack any awards account once a user is logged into their account. All they needed to know was the target's account number, Brian Krebs reported.
By changing the site's HTML coding and reloading the page, the two men were able to see and execute any actions the legitimate account holder access, including viewing past and upcoming trip and redeeming Hilton HHonors points for travel or hotel reservations.
Snyder told Krebs that the reward program relies on a PIN reset page that will say whether any 9-digit number is a valid account, making it easy for attackers to automate tests to discern accounts.