Travel website Hotel Hippo yanked offline after data leaks spotted Travel website Hotel Hippo is closed for business after an infosec bod spotted gaping security flaws which could allow hackers to snoop through customers' booking details. Information security consultant Scott Helme contacted The Register to discuss the security lapse, which could come in very handy for burglars who want to …
I remember years ago when I was working for a hosting company, one of the companies we hosted decided to have a secure server. He just got his php script to write the details people entered when buying goods (including card details) to be stored into plain text files on the website space. I told my boss, but he said that we were only a hosting company and it was not our responsibility if the company didn't have a professional web developer to write a properly secure website.
I left the hosting company soon after that.
...to go poking around sites and contents just because they were hosted there. They were renting compute and web services from you - what the hell has their content or processes got to do with you, unless it's illegal? PCI is a compliance issue, not a legal one, and without authorisation you should not have been poking around. If it had been my hosting firm you wouldn't have walked , I'd have pushed you.
This is how hosting and cloud compute is supposed to operate - without dickheads like you sticking their nose in.
Back to the main topic - it's piss poor security indeed where modifying a url lets you see others details. However the current laws would consider this hacking and may land you in jail. Which is fucking mad - but true.
Backup logs sometimes tell you a hell of a lot about what's happening with a website. No need for poking around. I recall that being something of an issue when we use to transfer data for customers from and old PC to a new one in a screwdriver shop we worked for. When you see ParisNude.jpg or ParisF#ck.mpg scroll by on the screen in the temporary internet files folder, you can make a pretty good guess what it is.
" ... he could input booking reference numbers other than his own and view other customers' personal details, simply by making a small change to the URL."
This, as we know, is one of the oldest faults in the book of security failings. Leaving aside questions of which useless developer created the website, the management of this company are responsible for its security and they should be the ones to be hit by sanctions and fines (ha, if only).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
