Security consultant condemns hotel booking site for "appalling" data leak

The United Kingdom Information Commissioner's Office (ICO), the watchdog charged with overseeing data privacy and protection matters in the UK, has begun an investigation into a hotel booking site that an information security consultant has condemned over an "appalling" data leak, and the company's subsequent failure to act on it. 

Scott Helme visited HotelHippo.com - owned by the HotelStayUK group - as a customer looking for a good deal on a stay in England's picturesque Lake District. But when his search led him to the site, he was horrified to discover a string of failures in its security, leaving it completely vulnerable to data mining from unscrupulous third-parties. 

The first red flag was that the site was served over HTTP, despite numerous highly visible claims that the site was secure, and attempting to navigate to a HTTPS version resulted in an SSL error, since the security certificate was for a completely different domain (secure.afternoonteafortwo.co.uk). 

Cautiously pressing on through the booking process, Helme entered his personal details - name, address, and the like - before proceeding to the payment details page. To his surprise, he noted that his booking reference number - stated on the page - was duplicated in the address bar in plain text.

Not inspired by the site's claims of security, he played a hunch and edited the booking reference in the URL, and immediately found that he was able to access details of other customers on the site.

The booking references were sequentially numbered, so he could go through each of them one by one, viewing customer details - including names, addresses, phone numbers and, horrifyingly, dates of travel, giving potential burglars all the info they need to ransack your house while you're away. Helme has detailed further elements of the company's security failures on his blog.

He initially contacted HotelStayUK to let them know about the security gaps on their site on June 25. However, Helme said that his "repeated emails and phone calls" to the company were ignored. HotelHippo.com remained online until today (July 1), when it quickly disappeared after BBC News contacted the company for comment.

The company said in a statement that it had "taken down the HotelHippo.com website to take some urgent action to deal with a technical situation." It added: "Privacy of customer data is our prime concern, and we are committed to ensuring this safety." 

The HotelStayUK site has also been taken offline and replaced with an error message. â€‹However, HotelStayUK managing director Chris Orrell denied any knowledge of the problem: "No-one's passed on any information to me," he said.

The ICO says that its investigation "will be looking into the matter to establish the full details", according to a spokesperson. 

Source: Scott Helme via BBC News | images 1-3 via ScottHelme.co.uk

Report a problem with article
Previous Story

Yes, the desktop will be going away on smaller Windows tablets

Next Story

No-IP says Microsoft was "heavy-handed" with their domain takeover

12 Comments

Commenting is disabled on this article.

This is why companies should have there webapps tested thoroughly. via in-house testers or a 3rd party offering testing services.

If the latter had been done im sure that this flaw would have been found. infact iam 100% sure it would have been found as i am a software tester and regularly look for things such as this.

While that is pretty bad, it's not like many of hotels on that site are much better. I have encountered many hotels that offer completely unsecured Wi-Fi and think that there is nothing wrong with that. Sigh...

vanx said,
While that is pretty bad, it's not like many of hotels on that site are much better. I have encountered many hotels that offer completely unsecured Wi-Fi and think that there is nothing wrong with that. Sigh...

Yeah it's pretty sad when they have a 5mbit or less internet conn unsecured. It's also pretty funny if you ever saw their mash of tens of routers from 2002...I'm sure they were good at the time hah.

An unsecured connection is an unsecured connection, regardless of speed. One of the problems is that many hotels are locked into many-years-long contracts with telcos, so they are less inclined to change things. But we have digressed...

vanx said,
An unsecured connection is an unsecured connection, regardless of speed. One of the problems is that many hotels are locked into many-years-long contracts with telcos, so they are less inclined to change things. But we have digressed...

Yes it is, but when it's slow to begin with they're just asking for a saturated/damn near unusable connection for the actual guests.

There are simply no words. I'm no expert, entirely self taught, but even I know you don't make records available just via a Url query string. Their web developer I hope finds themselves looking for work in the near future, perhaps getting some training during their spare time.