Hilton Hotels & Resorts has patched a gaping hole in its website that let anyone with a Hilton Honors account hack another account simply by knowing or guessing its 9-digit number. All an attacker had to do, according to security experts Brandon Potter and JB Snyder of consulting and testing firm Bancsec, was log in to any Hilton Honors account, alter some of the HTML content, and reload the page.

The story was broken in an article published Monday on KrebsOnSecurity. Krebs wrote:

After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address, and the last four digits of any credit card on file. I saw this vulnerability in action after giving Snyder and Potter my own Hilton Honors account number, and seconds later seeing screen shots of them logged into my account. Hours after this author alerted Hilton of the discovery, the Hilton Honors site temporarily stopped allowing users to reset their passwords. The flaw they discovered now appears to be fixed. "Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information." Snyder said the problem stemmed from a common Web application weakness called a cross-site request forgery (CSRF) vulnerability, a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The CSRF flaw was doubly dangerous because Hilton’s site didn’t require logged-in users to re-enter their current passwords before picking a new one.

Making matters worse, a PIN reset page on the Hilton website readily told visitors whether a specific nine-digit combination was a valid account number. Attackers could have used the page to generate a list of valid account numbers and then accessed each one using the CSRF vulnerability. Ironically, the vulnerability was discovered through a recent Hilton campaign that awarded 1,000 free awards points to people who changed their online password prior to April 1, after which the change was to become mandatory.