back to article Travel website Hotel Hippo yanked offline after data leaks spotted

Travel website Hotel Hippo is closed for business after an infosec bod spotted gaping security flaws which could allow hackers to snoop through customers' booking details. Information security consultant Scott Helme contacted The Register to discuss the security lapse, which could come in very handy for burglars who want to …

  1. Electric Panda

    This is outrageous. Reminds me far too much of those DELIBERATELY broken web apps that are used as penetration testing assault courses... in fact, quite a few of those I've seen don't have such obvious and trivial flaws in them.

    The name "Hotel Hippo" even sounds like a joke.

  2. Anonymous Coward
    Anonymous Coward

    I remember years ago when I was working for a hosting company, one of the companies we hosted decided to have a secure server. He just got his php script to write the details people entered when buying goods (including card details) to be stored into plain text files on the website space. I told my boss, but he said that we were only a hosting company and it was not our responsibility if the company didn't have a professional web developer to write a properly secure website.

    I left the hosting company soon after that.

    1. Anonymous Coward
      Anonymous Coward

      What authority did you have... go poking around sites and contents just because they were hosted there. They were renting compute and web services from you - what the hell has their content or processes got to do with you, unless it's illegal? PCI is a compliance issue, not a legal one, and without authorisation you should not have been poking around. If it had been my hosting firm you wouldn't have walked , I'd have pushed you.

      This is how hosting and cloud compute is supposed to operate - without dickheads like you sticking their nose in.

      Back to the main topic - it's piss poor security indeed where modifying a url lets you see others details. However the current laws would consider this hacking and may land you in jail. Which is fucking mad - but true.

      1. Captain Scarlet Silver badge

        Re: What authority did you have...

        What, you don't even check sites if abuse requests or requests from the customers to look at something? Thats pretty poor service.

      2. Tom 13

        Re: What authority did you have...

        Backup logs sometimes tell you a hell of a lot about what's happening with a website. No need for poking around. I recall that being something of an issue when we use to transfer data for customers from and old PC to a new one in a screwdriver shop we worked for. When you see ParisNude.jpg or ParisF#ck.mpg scroll by on the screen in the temporary internet files folder, you can make a pretty good guess what it is.

  3. frank ly Silver badge

    Again and again

    " ... he could input booking reference numbers other than his own and view other customers' personal details, simply by making a small change to the URL."

    This, as we know, is one of the oldest faults in the book of security failings. Leaving aside questions of which useless developer created the website, the management of this company are responsible for its security and they should be the ones to be hit by sanctions and fines (ha, if only).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019