Go Back  FlyerTalk Forums > Travel&Dining > Travel Tools
Reload this Page >

AwardWallet Hack

Register
Community
Wiki Posts
Today's Posts
Search

AwardWallet Hack

Thread Tools
 
Search this Thread
 
Old Jul 30, 2015, 9:31 pm
  #31  
FlyerTalk Evangelist
 
Join Date: May 2002
Location: Pittsburgh
Programs: MR/SPG LT Titanium, AA LT PLT, UA SLV, Avis PreferredPlus
Posts: 30,987
Originally Posted by nux
If the passwords were not displayed in plain text then a hack on AwardWallet accounts would not allow access to the account username/passwords of all accounts tracked within (except if the password for those is the same).
You click on the account name in AW and it automatically logs you in. Not knowing the id/pwd isn't all that meaningful if you can get to the account anyway.
CPRich is offline  
Reply
Old Jul 31, 2015, 1:43 am
  #32  
 
Join Date: Oct 2013
Posts: 639
Anyone who uses simple passwords that can either be bruteforced or guessed or uses the same password for several websites digs his own grave
fuyao is offline  
Reply
Old Jul 31, 2015, 2:03 am
  #33  
nux
FlyerTalk Evangelist
 
Join Date: Jun 2012
Programs: BA Gold, QF WP
Posts: 12,551
Originally Posted by ckpeter
AwardWallet has a feature that logs into your site accounts for you automatically. Very handy. I use it often when I don't want to fuss with all the clicking.
Originally Posted by CPRich
You click on the account name in AW and it automatically logs you in. Not knowing the id/pwd isn't all that meaningful if you can get to the account anyway.
Perhaps that feature too should be more secure. I only use AW to monitor the balances.

But I see no reason why AW should allow you to view your already entered password details in plain text. That means if your AW account is compromised (whether through brute force, known password, etc) ALL your FF account details are also compromised.

This time it may have only been 250 AW accounts (compromising possibly thousands of FF accounts), next time it could be all AW accounts and who knows how many FF accounts.
Last edited by nux; Jul 31, 2015 at 2:05 am Reason: Misunderstood quoted replies
nux is offline  
Reply
Old Jul 31, 2015, 6:22 am
  #34  
Company Representative - AwardWallet
 
Join Date: Oct 2007
Posts: 56
Originally Posted by josephstern
Hmm. I was just able to log in and disable two-factor, without needing my two-factor code.

Kinda defeats the purpose.
But to login you did need to use two-factor auth, so I don't think it defeat the purpose. On top of that, we also ask for your AwardWallet password to disable two-factor auth.
veresch is offline  
Reply
Old Jul 31, 2015, 6:25 am
  #35  
Company Representative - AwardWallet
 
Join Date: Oct 2007
Posts: 56
Originally Posted by DaveInLA
I wasn't one of the 250+ who got the email. Should I change all my passwords too? Or just my AW password?
Neither. If your password is unique to AwardWallet and complex you have nothing to worry about. I would recommend turning on two-factor auth which we made available to anyone (AwardWallet Plus and Regular accounts).
veresch is offline  
Reply
Old Jul 31, 2015, 6:35 am
  #36  
Company Representative - AwardWallet
 
Join Date: Oct 2007
Posts: 56
Originally Posted by lopinc1
If you were already logged in (via remembered cookies) then you wouldn't be prompted for the two-factor code. The two-factor code is used when you log in on that browser initially.

The best solution would be if AW requires another prompt for a two-factor password in order to display a clear-text loyalty password. This way even if a user did something dumb like leave their account logged in on a public computer, the clear text password wouldn't be displayed without another two-factor confirmation.

Also keep in mind that just because the loyalty passwords are being shown to you clear-text, doesn't mean they are stored that way. They have to be readable so AW can use them to check your points balance, so they can't be hashed, but I'll bet they are stored encrypted in their DB.
You are exactly right, the passwords to loyalty accounts are all stored encrypted (not hashed) so that we can check the balances. Removing the option to to display the password in clear text (after you enter the password) or adding second factor auth in there would not make it more secure, we would also have to get rid of the auto-login feature to make it more secure. I also want to point out that if your password is unique to AwardWallet and complex you have nothing to worry about.

We have 315,891 accounts on AwardWallet as of now, 250 got hacked and their usernames and passwords were very weak, like abcd / abcd so that is ~0.079%

Thanks,
-Alexi
veresch is offline  
Reply
Old Jul 31, 2015, 6:42 am
  #37  
Company Representative - AwardWallet
 
Join Date: Oct 2007
Posts: 56
Originally Posted by Andrew.Smith
Further comments have highlighted the lack of password re-entry requirement for the display of saved passwords - sounds to me like another system weakness.
This is not true, you do have to re-enter your master AwardWallet password to see your loyalty account password.
veresch is offline  
Reply
Old Jul 31, 2015, 6:53 am
  #38  
Company Representative - AwardWallet
 
Join Date: Oct 2007
Posts: 56
FYI, the two-factor authentication used to be only available to AwardWallet Plus members, we removed this requirement and now two-factor authentication is available to anyone.
veresch is offline  
Reply
Old Jul 31, 2015, 9:08 am
  #39  
FlyerTalk Evangelist
 
Join Date: Jul 2006
Location: Upper Sternistan
Posts: 10,028
Originally Posted by veresch
But to login you did need to use two-factor auth, so I don't think it defeat the purpose. On top of that, we also ask for your AwardWallet password to disable two-factor auth.
But that could have been a month ago that I logged in via two-factor. The cookie remembered me, right? Now, anyone who sits at my desk can open AW, go into settings, and turn off two-factor, without first re-authorizing with two-factor.
josephstern is offline  
Reply
Old Jul 31, 2015, 9:44 am
  #40  
 
Join Date: May 2004
Posts: 253
Originally Posted by josephstern
But that could have been a month ago that I logged in via two-factor. The cookie remembered me, right? Now, anyone who sits at my desk can open AW, go into settings, and turn off two-factor, without first re-authorizing with two-factor.
How can that be? He just said "On top of that, we also ask for your AwardWallet password to disable two-factor auth." Sounds like cookies alone wouldn't allow that.
lopinc1 is offline  
Reply
Old Jul 31, 2015, 9:49 am
  #41  
FlyerTalk Evangelist
 
Join Date: Jul 2006
Location: Upper Sternistan
Posts: 10,028
Originally Posted by lopinc1
How can that be? He just said "On top of that, we also ask for your AwardWallet password to disable two-factor auth." Sounds like cookies alone wouldn't allow that.
Password maybe, but not the code from Authy. Which defeats the point of two-factor, assuming you have the password and access to a browser that has been logged in.
josephstern is offline  
Reply
Old Jul 31, 2015, 10:36 am
  #42  
 
Join Date: Sep 2005
Posts: 2,731
Originally Posted by josephstern
Password maybe, but not the code from Authy. Which defeats the point of two-factor, assuming you have the password and access to a browser that has been logged in.
Honestly, if someone has your password AND access to a browser instance that has been logged in, they already have FULL access to everything you have, including all the account passwords.

At that point, disabling your two-factor authentication is not important to your attacker.
ckpeter is offline  
Reply
Old Jul 31, 2015, 12:53 pm
  #43  
 
Join Date: Mar 2014
Posts: 9
Originally Posted by veresch
We have 315,891 accounts on AwardWallet as of now, 250 got hacked and their usernames and passwords were very weak, like abcd / abcd so that is ~0.079%
Was it only cases where usernames/passwords were the same? If not, then how can you even tell that the passwords were weak if you are following basic secure account practices (hashing passwords).
seapoint is offline  
Reply
Old Jul 31, 2015, 3:12 pm
  #44  
 
Join Date: Feb 2008
Posts: 3
I am not sure I understand what happened. If it is a brute force attack and the hacker gained access to the user's account, how would s/he be able to obtain the user's loyalty password anyway? When I go to my account, the password is masked.

And then AwardWallet confirmed that on its end, the password is encrypted.

Anybody with better understanding?
binmarseto is offline  
Reply
Old Aug 1, 2015, 1:16 am
  #45  
Company Representative - AwardWallet
 
Join Date: Oct 2007
Posts: 56
Originally Posted by seapoint
Was it only cases where usernames/passwords were the same? If not, then how can you even tell that the passwords were weak if you are following basic secure account practices (hashing passwords).
The majority of the 250 accounts had the same username and password, we know what passwords they were trying to submit from the logs. They tried passwords like "password" or "1234567890".
veresch is offline  
Reply



Advanced Search
Reply Closed Thread Share
Forum Jump

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.