AwardWallet Hack
#31
FlyerTalk Evangelist
Join Date: May 2002
Location: Pittsburgh
Programs: MR/SPG LT Titanium, AA LT PLT, UA SLV, Avis PreferredPlus
Posts: 30,987
You click on the account name in AW and it automatically logs you in. Not knowing the id/pwd isn't all that meaningful if you can get to the account anyway.
#33
FlyerTalk Evangelist
Join Date: Jun 2012
Programs: BA Gold, QF WP
Posts: 12,551
But I see no reason why AW should allow you to view your already entered password details in plain text. That means if your AW account is compromised (whether through brute force, known password, etc) ALL your FF account details are also compromised.
This time it may have only been 250 AW accounts (compromising possibly thousands of FF accounts), next time it could be all AW accounts and who knows how many FF accounts.
Last edited by nux; Jul 31, 2015 at 2:05 am Reason: Misunderstood quoted replies
#34
Company Representative - AwardWallet
Join Date: Oct 2007
Posts: 56
But to login you did need to use two-factor auth, so I don't think it defeat the purpose. On top of that, we also ask for your AwardWallet password to disable two-factor auth.
#35
Company Representative - AwardWallet
Join Date: Oct 2007
Posts: 56
Neither. If your password is unique to AwardWallet and complex you have nothing to worry about. I would recommend turning on two-factor auth which we made available to anyone (AwardWallet Plus and Regular accounts).
#36
Company Representative - AwardWallet
Join Date: Oct 2007
Posts: 56
If you were already logged in (via remembered cookies) then you wouldn't be prompted for the two-factor code. The two-factor code is used when you log in on that browser initially.
The best solution would be if AW requires another prompt for a two-factor password in order to display a clear-text loyalty password. This way even if a user did something dumb like leave their account logged in on a public computer, the clear text password wouldn't be displayed without another two-factor confirmation.
Also keep in mind that just because the loyalty passwords are being shown to you clear-text, doesn't mean they are stored that way. They have to be readable so AW can use them to check your points balance, so they can't be hashed, but I'll bet they are stored encrypted in their DB.
The best solution would be if AW requires another prompt for a two-factor password in order to display a clear-text loyalty password. This way even if a user did something dumb like leave their account logged in on a public computer, the clear text password wouldn't be displayed without another two-factor confirmation.
Also keep in mind that just because the loyalty passwords are being shown to you clear-text, doesn't mean they are stored that way. They have to be readable so AW can use them to check your points balance, so they can't be hashed, but I'll bet they are stored encrypted in their DB.
We have 315,891 accounts on AwardWallet as of now, 250 got hacked and their usernames and passwords were very weak, like abcd / abcd so that is ~0.079%
Thanks,
-Alexi
#37
Company Representative - AwardWallet
Join Date: Oct 2007
Posts: 56
This is not true, you do have to re-enter your master AwardWallet password to see your loyalty account password.
#39
FlyerTalk Evangelist
Join Date: Jul 2006
Location: Upper Sternistan
Posts: 10,028
But that could have been a month ago that I logged in via two-factor. The cookie remembered me, right? Now, anyone who sits at my desk can open AW, go into settings, and turn off two-factor, without first re-authorizing with two-factor.
#40
Join Date: May 2004
Posts: 253
How can that be? He just said "On top of that, we also ask for your AwardWallet password to disable two-factor auth." Sounds like cookies alone wouldn't allow that.
#41
FlyerTalk Evangelist
Join Date: Jul 2006
Location: Upper Sternistan
Posts: 10,028
Password maybe, but not the code from Authy. Which defeats the point of two-factor, assuming you have the password and access to a browser that has been logged in.
#42
Join Date: Sep 2005
Posts: 2,731
At that point, disabling your two-factor authentication is not important to your attacker.
#43
Join Date: Mar 2014
Posts: 9
Was it only cases where usernames/passwords were the same? If not, then how can you even tell that the passwords were weak if you are following basic secure account practices (hashing passwords).
#44
Join Date: Feb 2008
Posts: 3
I am not sure I understand what happened. If it is a brute force attack and the hacker gained access to the user's account, how would s/he be able to obtain the user's loyalty password anyway? When I go to my account, the password is masked.
And then AwardWallet confirmed that on its end, the password is encrypted.
Anybody with better understanding?
And then AwardWallet confirmed that on its end, the password is encrypted.
Anybody with better understanding?
#45
Company Representative - AwardWallet
Join Date: Oct 2007
Posts: 56
The majority of the 250 accounts had the same username and password, we know what passwords they were trying to submit from the logs. They tried passwords like "password" or "1234567890".