Hotel booking site taken down over data breach fears

A mouse cursor hovering over a web page url bar

A hotel booking site has been condemned by a security expert after leaving users personal details easily accessible to hackers.

Scott Helme, an information security consultant, uncovered several flaws in the HotelHippo site while trying to book accommodation for a trip to the Lake District.

They included the presence of an SQL injection vulnerability on the site, as well as PCI compliance breaches and HTTPS configuration issues.

More alarmingly, Helme also uncovered while making a booking through the site that he could view and retrieve details about other people who have used the service in the past.

"It turns out you can start walking backwards through the booking reference numbers, which are sequential, and pull out the data associated with each one," he wrote in a blog post.

Hey presto, you've bagged yourself some credit card data with minimal effort.

He was able to test this out further by creating several bookings featuring fake credit card data, which he stressed was information that was irretrievable when pulling out other people's bookings.

"Just a little further down the page are things like my name, address and post code. It's really not ideal that this information is leaked, but not quite as critical as it would be if my credit card data was going out the window with it," he explained.

Once a booking is made, the site then emails users confirmation of the transaction, which Helme discovered could potentially provide cyber criminals with the ammunition needed to launch a convincing phishing attack.

The email contains a download link for users that want to save a copy of their booking details, and once again by simply altering the booking number within the URL, Helme said it's possible to pull up information about other people's bookings.

"At this point, an attacker has everything they could possibly need to launch a highly effective phishing attack against a user, " as the email details their home address, phone number, hotel stay and details about when they're planning to be away

"It's pretty easy to easy to look up a phone number and place a very convincing phone call to the customer," he continued.

"From here, they simply explain there was an issue with the card payment, they know the exact amount, and ask for card details over the phone to avoid having to cancel the booking.

"Hey presto, you've bagged yourself some credit card data with minimal effort."

Access to this kind of data could also pave the way for burglaries, Helme goes on to warn, as unsavoury types can easily dig out details about where customers live and bag confirmation of when their houses are likely to be empty.

Helme claims to have notified the St. Albans-based firm behind the site about these security holes on 25 June, but said it wasn't until he got the BBC involved that action was taken.

At the time of writing HotelHippo was offline.

In a statement to the BBC, HotelStayUK HotelHippo's operator said the site was taken down so that it could take "urgent action" to patch the aforementioned security holes.

"Privacy of customer data is our prime concern, and we are committed to ensuring this safety," the statement reads.

Meanwhile, the Information Commissioner's Office has confirmed that it has launched an investigation into the site.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.