United IT Failure (deep sigh) {brute-force PIN hack published}
Jun 26, 2015, 3:15 pm
#1
Original Poster
Join Date: Jan 2009
Location: PDX
Programs: Delta Skymiles, United Mileage Plus and Alaska Airlines Mileage Plan
Posts: 20
United IT Failure (deep sigh) {brute-force PIN hack published}
An independent security researcher identified a way to brute-force a password change through the United website, and then filed for their bug bounty. When United didn't reply, he posted the recipe on Slashdot, and it's now starting to go viral.
When can we get rid of the PIN!
http://it.slashdot.org/story/15/06/2...k-gets-snubbed
When can we get rid of the PIN!
http://it.slashdot.org/story/15/06/2...k-gets-snubbed
Jun 26, 2015, 3:30 pm
#2
Join Date: Jan 2014
Location: ORD
Programs: UA 1k, SPG Plat 100
Posts: 619
I'm fine with the pin for phone verification, but I just found out a few days ago you can log into the website with it. That absolutely should not be allowed.
The above, of course, is also absurd. Snubbing someone who has personally found a major security issue is too stupid for words.
The above, of course, is also absurd. Snubbing someone who has personally found a major security issue is too stupid for words.
Jun 26, 2015, 3:36 pm
#3
Join Date: Jun 2004
Location: ATL
Programs: Delta PlM, 1M
Posts: 6,363
The poster appears to have a reputation over at \ as being a quack.
A quick trip to the recovery page makes it clear it is not as simple as he claims.
Agreed though that the PIN is a friggen joke and should have been gone years ago.
A quick trip to the recovery page makes it clear it is not as simple as he claims.
Agreed though that the PIN is a friggen joke and should have been gone years ago.
Jun 26, 2015, 3:40 pm
#4
Join Date: Nov 2006
Location: SFO South Bay
Programs: UA 2MM
Posts: 3,052
United's IT is not just poor, is it dangerously negligent. Having 4 digit pin for logon is bad enough. To not have any avoidance of brute force attacks in guessing the PIN? Wow. Just wow.
Frankly, I have a hard time believing even UA is that stupid. Surely they cannot be. Surely.
Frankly, I have a hard time believing even UA is that stupid. Surely they cannot be. Surely.
Jun 26, 2015, 3:47 pm
#5
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.995MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,852
If I read the article correct, entering a first & last name and a PIN guess, it states "the page will tell you whether your information matched an existing MilagePlus customer record."
and it sends the account number to your account email.
So the brute force can validate the PIN but it is still missing the account id -- and the account e-mail as a log on was disabled awhile again
Full account IDs have not been on BPs for awhile, so one would have to have inside info to get into the account.
So not a good thing to validate the PIN
, but not quite a open access to accounts method.
====
And the bounty side specifically excludes brute force attacks (although that may be a poor decision).
and it sends the account number to your account email.
So the brute force can validate the PIN but it is still missing the account id -- and the account e-mail as a log on was disabled awhile again
Full account IDs have not been on BPs for awhile, so one would have to have inside info to get into the account.
So not a good thing to validate the PIN
, but not quite a open access to accounts method.====
And the bounty side specifically excludes brute force attacks (although that may be a poor decision).
Jun 26, 2015, 3:49 pm
#6
Join Date: Jan 2009
Location: LHR (sometimes CLE, SFO, BOS, LAX, SEA)
Programs: UA 1K
Posts: 5,893
Wow, it's Bennett Haselton! Blast from the past. This is like seeing a troll post from adequacy.org or like reading Steve Gibson's take on raw TCP sockets in operating systems — just adorable.
UA's back-end software does have some deep, deep problems. My personal favorite is that you can check in online with a MileagePlus # and PIN — or, you can check in online *on the mobile site or at a kiosk* with just a MileagePlus# . Once you learn someone's MP# you can stalk all their future bookings using the mobile site or an airport kiosk and by learning their PNR and last name from OLCI, you can make arbitrary changes to their flights online or via phone.
Edit: Note that it is more difficult than it used to be to learn someone's MileagePlus number. It is no longer displayed verbatim at OLCI or on your e-ticket or via "edit traveler info" when viewing PNR online. The MP# is a fairly special token now, something more than just a username.
UA's back-end software does have some deep, deep problems. My personal favorite is that you can check in online with a MileagePlus # and PIN — or, you can check in online *on the mobile site or at a kiosk* with just a MileagePlus# . Once you learn someone's MP# you can stalk all their future bookings using the mobile site or an airport kiosk and by learning their PNR and last name from OLCI, you can make arbitrary changes to their flights online or via phone.
Edit: Note that it is more difficult than it used to be to learn someone's MileagePlus number. It is no longer displayed verbatim at OLCI or on your e-ticket or via "edit traveler info" when viewing PNR online. The MP# is a fairly special token now, something more than just a username.
Jun 26, 2015, 3:51 pm
#7
Join Date: Nov 2006
Location: SFO South Bay
Programs: UA 2MM
Posts: 3,052
OK, folks, I just ran a quick script to test this security issue, and it is TRUE!!! I was able to run 10 guesses of my own PIN and the site did not shut me down. I gave it the true number on guess 11, and it sure enough told me I had the right PIN (by saying it had sent me my info via email).
So this is a true security issue.
So this is a true security issue.
Jun 26, 2015, 3:52 pm
#8
Join Date: Feb 2009
Location: CLE
Programs: UA 1K MM, DL Plat
Posts: 982
I laughed when I saw the UA bug bounty program. Hard.
Bennett aside, who truly is infamous over at /., the thing is, companies announce bug bounties when they're already pretty sure they have ironed out their systems kinks, and are looking to incentivize a community to find the really complex stuff for them. Buffer overflows, remote code exploits, XSS vulnerabilities, etc...
UA's systems are a hot mess and full of bugs. This is the company that had to disable username/password login months ago, and hasn't found a way to re-enable it yet. Then they announce a bug bounty, which is guaranteed to get a bunch of wacky kids with way too much time on their hands prodding at every crack in the system, regardless of what the rules actually say.
This is the company who cannot reply to their best customers in a timely fashion, or process refunds on-time, or fix issues with upgrade payments that amount to outright fraud. And they're going to start responding in a timely fashion to random Internet jocks that have ZERO incentive not to potentially take the bugs they find and sell them on IRC for a lot more cash than they'd get in RDMs?
I laughed. Hard.
Even Microsoft and Google get burned by these programs occasionally, even as they can be extremely useful used properly. UA never had a chance, and I'm frankly surprised it took this long for the first "leak" to hit the 'net.
Bennett aside, who truly is infamous over at /., the thing is, companies announce bug bounties when they're already pretty sure they have ironed out their systems kinks, and are looking to incentivize a community to find the really complex stuff for them. Buffer overflows, remote code exploits, XSS vulnerabilities, etc...
UA's systems are a hot mess and full of bugs. This is the company that had to disable username/password login months ago, and hasn't found a way to re-enable it yet. Then they announce a bug bounty, which is guaranteed to get a bunch of wacky kids with way too much time on their hands prodding at every crack in the system, regardless of what the rules actually say.
This is the company who cannot reply to their best customers in a timely fashion, or process refunds on-time, or fix issues with upgrade payments that amount to outright fraud. And they're going to start responding in a timely fashion to random Internet jocks that have ZERO incentive not to potentially take the bugs they find and sell them on IRC for a lot more cash than they'd get in RDMs?
I laughed. Hard.
Even Microsoft and Google get burned by these programs occasionally, even as they can be extremely useful used properly. UA never had a chance, and I'm frankly surprised it took this long for the first "leak" to hit the 'net.
Jun 26, 2015, 3:57 pm
#9
Original Poster
Join Date: Jan 2009
Location: PDX
Programs: Delta Skymiles, United Mileage Plus and Alaska Airlines Mileage Plan
Posts: 20
The big issue is that if you know the MP number and the Pin, you can theoretically log into the website. Now, that's a pretty steep slope to climb:
1) Gotta get the MP number, perhaps from baggage tag or from corporate travel records? Unscrupulous ticket agent?
2) Gotta know the passenger's first and last name.
3) Gotta ensure that the PIN is correct or not. Simple fix here is to stop after a number of incorrect attempts and lock the account. Shockingly lazy and bad form on United's IT department and/or their contractors.
Getting all three of these is difficult. However, it's not impossible.
Jun 26, 2015, 4:00 pm
#10
Join Date: Nov 2006
Location: SFO South Bay
Programs: UA 2MM
Posts: 3,052
I had managed to scrub Steve Gibson and "Shields Up!" from my mind. Thanks for that. ;-)
The big issue is that if you know the MP number and the Pin, you can theoretically log into the website. Now, that's a pretty steep slope to climb:
1) Gotta get the MP number, perhaps from baggage tag or from corporate travel records? Unscrupulous ticket agent?
2) Gotta know the passenger's first and last name.
3) Gotta ensure that the PIN is correct or not. Simple fix here is to stop after a number of incorrect attempts and lock the account. Shockingly lazy and bad form on United's IT department and/or their contractors.
Getting all three of these is difficult. However, it's not impossible.
The big issue is that if you know the MP number and the Pin, you can theoretically log into the website. Now, that's a pretty steep slope to climb:
1) Gotta get the MP number, perhaps from baggage tag or from corporate travel records? Unscrupulous ticket agent?
2) Gotta know the passenger's first and last name.
3) Gotta ensure that the PIN is correct or not. Simple fix here is to stop after a number of incorrect attempts and lock the account. Shockingly lazy and bad form on United's IT department and/or their contractors.
Getting all three of these is difficult. However, it's not impossible.
So all you need is someone's first and last name. Lame. Just lame.
Jun 26, 2015, 4:05 pm
#11
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.995MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,852
Jun 26, 2015, 4:07 pm
#12
Join Date: Nov 2006
Location: SFO South Bay
Programs: UA 2MM
Posts: 3,052
Jun 26, 2015, 5:03 pm
#13
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.995MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,852
...
The big issue is that if you know the MP number and the Pin, you can theoretically log into the website. Now, that's a pretty steep slope to climb:
1) Gotta get the MP number, perhaps from baggage tag or from corporate travel records? Unscrupulous ticket agent?
2) Gotta know the passenger's first and last name.
3) Gotta ensure that the PIN is correct or not. Simple fix here is to stop after a number of incorrect attempts and lock the account. Shockingly lazy and bad form on United's IT department and/or their contractors.
Getting all three of these is difficult. However, it's not impossible.
The big issue is that if you know the MP number and the Pin, you can theoretically log into the website. Now, that's a pretty steep slope to climb:
1) Gotta get the MP number, perhaps from baggage tag or from corporate travel records? Unscrupulous ticket agent?
2) Gotta know the passenger's first and last name.
3) Gotta ensure that the PIN is correct or not. Simple fix here is to stop after a number of incorrect attempts and lock the account. Shockingly lazy and bad form on United's IT department and/or their contractors.
Getting all three of these is difficult. However, it's not impossible.
The missing lock out after X ties is the major breach (besides having a 4 numeric PIN in the first place).
Jun 26, 2015, 5:04 pm
#14
FlyerTalk Evangelist
Join Date: Feb 2002
Location: San Francisco/Tel Aviv/YYZ
Programs: CO 1K-MM
Posts: 10,762
United's IT is a joke. They should have switched to a username/password system years ago (like ua.bomb) but they used the SHARES-based one instead. Less secure, less easy to use.
Jun 26, 2015, 5:56 pm
#15
Join Date: Jun 2011
Location: Colorado
Programs: United MM (formerly 1K), Marriott Lifetime Gold
Posts: 551
Edit: Note that it is more difficult than it used to be to learn someone's MileagePlus number. It is no longer displayed verbatim at OLCI or on your e-ticket or via "edit traveler info" when viewing PNR online. The MP# is a fairly special token now, something more than just a username.