Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Pla
Aug 6, 2023, 12:04 pm
#1
Original Poster
Join Date: Dec 2011
Posts: 69
Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Pla
https://samcurry.net/points-com/
The technical folk here will understand how this analysis found a number of weaknesses in the implementations of various airline and hotel mileage and points program infrastructure. However, what is not exposed in the study is the fundamental design flaws in the architecture of these platforms.
For e.g., calling out United/Mileage Plus as an example, it's a pity that they haven't yet realized the flaws of not using legitimate TFA, and instead pretend that a handful of common questions with a small number of predefined answers can serve as a security cloak. How many of you have had to speak to agents while surrounded by fellow passengers and give out your mileage number and name, together with your security answers?
Hope these sorts of hacking efforts places greater scrutiny of airlines/hotel mileage and point programs, given the many security deficiencies within their platforms.
Between March 2023 and May 2023, we identified multiple security vulnerabilities within points.com, the backend provider for a significant portion of airline and hotel rewards programs. These vulnerabilities would have enabled an attacker to access sensitive customer account information, including names, billing addresses, redacted credit card details, emails, phone numbers, and transaction records. Moreover, the attacker could exploit these vulnerabilities to perform actions such as transferring points from customer accounts and gaining unauthorized access to a global administrator website. This unauthorized access would grant the attacker full permissions to issue reward points, manage rewards programs, oversee customer accounts, and execute various administrative functions.
Upon reporting these vulnerabilities, the points.com team responded very quickly, acknowledging each report within an hour. They promptly took affected websites offline to conduct thorough investigations and subsequently patched all identified issues. All vulnerabilities reported in this blog post have since been remediated.
Upon reporting these vulnerabilities, the points.com team responded very quickly, acknowledging each report within an hour. They promptly took affected websites offline to conduct thorough investigations and subsequently patched all identified issues. All vulnerabilities reported in this blog post have since been remediated.
The technical folk here will understand how this analysis found a number of weaknesses in the implementations of various airline and hotel mileage and points program infrastructure. However, what is not exposed in the study is the fundamental design flaws in the architecture of these platforms.
For e.g., calling out United/Mileage Plus as an example, it's a pity that they haven't yet realized the flaws of not using legitimate TFA, and instead pretend that a handful of common questions with a small number of predefined answers can serve as a security cloak. How many of you have had to speak to agents while surrounded by fellow passengers and give out your mileage number and name, together with your security answers?
Hope these sorts of hacking efforts places greater scrutiny of airlines/hotel mileage and point programs, given the many security deficiencies within their platforms.
