As some of you know, I’ve been trying for several years to get Hilton to fix a security flaw in their web site. I’ve tried reporting it to them via the web site, through customer service, and by tracking down Hilton executives through Linked In and contacts from their press releases and bugging them directly. Despite my best efforts Hilton has declined to take any action and has continued for several years to knowingly expose their customers’ information.
Well, I’ve come to accept that this is a long-term fight and I’m busily boiling the sea a cup at a time. From time to time I blog about it and whenever I speak at conferences (where the attendees are often at Hilton properties) I tell my audiences about the vulnerability. But that was when I thought the main problem was that they were exposing my login credentials. Tonight I found two more security problems and now I’m steaming mad.
Why should you care? Glad you asked. Let me explain.
The first problem is that if you log onto the web page, your ID and password are sent in the clear. The Hilton FAQ states that “Your login is always executed through a secure connection” but this is clearly not the case as the screen shot shows.
So how big of a problem is that really? Well for starters, it is reported that between 30% and 50% (or more)of users reuse passwords across sites. That means passwords harvested by snooping Hilton HHonors logins could potentially unlock email, social network logins and even bank accounts. In fact, the high rate of password reuse means that any site leaking login credentials is a potential gold mine for hackers and identity thieves. They flock to sites like this like flies to shit.
Do the problems stop there? Oh HELL no. Assuming a hacker gets your login credentials. What can they do with them? Well, Hilton does store your credit card data. Thankfully it is not exposed on the web site but a hacker can book rooms and other amenities in your name and I found one case where that actually happened. But your account also contains your home address and a list of days when you won’t be there. Or, if you are a celebrity, a hacker might be more interested in where you are rather than where you aren’t and Hilton has your itinerary on file for the taking. The personal information Hilton exposes puts your identity at risk and the address and itinerary information put your physical safety at risk. Remember, Hilton has known this for years and refuses to do anything about it. Gee, thanks Hilton.
But that’s not all. Not by a long shot. Consider the audience of Hilton’s loyalty program. This is a population of users who travel. When traveling, these users might log in from work, a client’s offices, a coffee shop, etc. But the one place they will ALL eventually log in from at some point is a Hilton hotel room – which provides an open WiFi network. That means anyone with a Wi-Fi capable device can camp out in a room or in the lobby and slurp up network traffic looking for login pages. If they recognize the form being submitted, they automatically log the credentials. Hackers have been known to stash WiFi loggers at public hot-spots then return later to pick up the device with all the captured traffic. Having provided all sorts of motive for hackers, Hilton kindly provides the means as well.
But that’s all old news. As bad as that is, I’ve reconciled myself to the notion that Hilton won’t care until enough of us complain. I’m doing my best to incite that protest but its slow going. And there’s a workaround so its bad but (unless you are victimized by it) not urgent. Well, that changed for me as of tonight.
When I tried to sign up for the Double Miles promotion, the page kept throwing password errors. I logged onto my account (using the only secure login page I’ve been able to find, more on that later) and verified I was using the right password. I actually copied and pasted the ID and password into both pages. The account page worked and the promotion page failed. The promotion page has a “Forgot your password?” link so I tried it. What the hell, it’s possible this page doesn’t use the same credentials as the main page. It’s also possible the page is intentionally broken because that reduces payouts on the promotion. In the trade this is euphemistically referred to as “breakage.” It’s also possible the page is broken and nobody noticed simply out of incompetence. Oddly, that’s the MOST generous assumption we could make here.
Anyway, when I submitted the password recovery form what I got back was my actual password but with the lower case letters folded to upper case. WTF? So I tried the all uppercase password on the account page and it worked. So even though I’ve been entering and using a long complex password made of upper case, lower case, digits and special characters, Hilton in their infinite wisdom just tosses out the 26 lower case characters and treats the password as case-insensitive. There are three problems with this:
- The stored password should NEVER be recoverable!
- Case insensitive passwords are far easier to crack.
- Email is unsecure.
Why are these problems? What do Sony, LinkedIn, eHarmony, LastFM, Zappos, Dream Host, Microsoft, Gawker, Booz Allen Hamilton, Stratfor and many other have in common? All either stored passwords in the clear or with reversible encryption, all were breached and all of these breaches exposed the passwords.
When a web site stores user credentials, the gold standard is to do so without using reversible encryption. When you submit your password, the web server combines it with a long random string of characters and then iterates a hashing algorithm over it many times. The result is a value which cannot be decrypted to reveal your original password. This is then stored in the database. When you log in, the same process is applied and the result compared to the stored value. If the results match, the password is valid. Using a different “salt” (the aforementioned long random string) for each password means that cracking one password does not expose any other passwords and that pre-computed tables of encrypted passwords are useless to an attacker.
It also means that the web site will not be able to send you your password. This is why so many web sites with good security (for example, your bank (hopefully!)) instead send you a link to reset your password instead of the actual password. The fact that Hilton was able to send me the password means that they are storing it in plain text or using reversible encryption.
Although secure password storage is not exactly trivial, it is well known, mature technology and there is no justification for not implementing it. Yet the failure to implement secure password storage is so rampant that OWASP (The Open Web Application Security Project) ranks it third in their Top 10 list of worst security vulnerabilities.
Since we know Hilton stores passwords in recoverable fashion, how hard are they to crack? Well, folding the password to uppercase cuts the possibility space almost in half. If I have both upper and lower case to use that’s 52 alpha characters for each position in the password. Add digits and a few special characters and you have a decent set of characters to choose from. But starting with just 26 alphabetic characters drops the complexity of the passwords by orders of magnitude. Assuming Hilton encrypts them at all, this approach greatly weakens the encryption.
The other problem is that email is unsecure. Email is a store-and-forward system and every server that an email passes through keeps a copy in a log. Since Hilton regularly sends me emails that contain my user ID, there are at least two service providers other than Hilton who have the User ID and password to my Hilton account. That may not sound so bad but consider that I don’t actually know who runs the mail server at T-Rob.net, it’s just a service I buy. I also have no choice of how the mail is routed to me and no idea of who runs the backbone gateway mail server. I would not voluntarily hand my Hilton login credentials to my postal carrier and she’s a US government employee who I know and trust. Why does Hilton give out my login credentials to multiple random companies who happen to process my email? The employees who have custody of my email may all be perfectly honest. But the more people who have that data, the greater chance one of them will be dishonest. Expose the data to enough people and that chance of dishonesty begins to approach certainty. Again, this is a major fail and not justifiable given the state of web security technology these days.
We all use web sites that store confidential information. The next time you use the password recovery function on any of these take notice of whether they send you the password or a link to reset the password. If it’s a password they are playing fast and loose with your identity and financial information. Complain to them.
Set your browser to alert you when you submit a form that is not encrypted and then try your favorite vendor sites. If the alert pops up, then your ID and password are being sent in the clear. Complain to them. Demand they fix it.
For those sites that support it, set your preferences to always use SSL. Good examples are Google and Twitter. Facebook also has an all-SSL option but I don’t want to imply that they have good security and privacy overall. Just set it to use SSL.
If your vendor supports it, set your preferences to authenticate using a text message. When you log in they send you a text. You either reply or you enter a code from the text into the login page. This way even if your password is stolen they still need your phone to do anything with your account. For vendors where this is critical (like your bank) if they don’t do this, complain.
Finally, if you use Hilton HHonors loyalty program don’t log in using the main web form. Enter a bogus user ID and password and hit Enter. That takes you to an error page which is delivered over SSL. From there you can enter your actual ID and password which are then submitted over SSL and encrypted. Then call their customer service and complain that they have been knowingly exposing your login credentials and personal information for years and demand that they fix it. The only way vendors will ever do something is if we hold them accountable. Now’s your chance.
If you need technical details on any of this to lodge your own complaint, let me know.
UPDATE: While posting this blog entry to Hilton’s various Facebook pages, I discovered they have a few apps. Guess what? SSL is not supported on the HHonors app. Unlike their web page where you at least have a workaround, whatever credentials the app uses are ALWAYS sent in the clear. Kinda makes you think they don’t take that whole “we will always encrypt your login data” thing seriously. Oh wait, we already established that.