United "buy miles" website personal information disclosure
Feb 21, 2019, 8:53 pm
#1
Original Poster
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, Hilton Diamond, Marriott Something, IHG Gold, Hertz PC, Avis PC
Posts: 8,156
United "buy miles" website personal information disclosure
Just in case you needed another reason not to leave your boarding pass in the back of your seat...
United's "buy miles" websites, which is actually run by Points.com allows you to take a Mileage Plus number and a surname (both in the barcode on a boarding pass, plus obviously in countless other places) and use them to obtain multiple personal details including home address, phone number, email address, miles balance, whether you have a co-branded credit card, and more...
https://blog.docbert.org/united-airl...on-disclosure/
United was notified of this over 18 months ago, at which point they claimed they did not consider it a security issue - and it's still not fixed...
(As per FT rule 7, this is my blog - in case my username didn't give that away...)
United's "buy miles" websites, which is actually run by Points.com allows you to take a Mileage Plus number and a surname (both in the barcode on a boarding pass, plus obviously in countless other places) and use them to obtain multiple personal details including home address, phone number, email address, miles balance, whether you have a co-branded credit card, and more...
https://blog.docbert.org/united-airl...on-disclosure/
United was notified of this over 18 months ago, at which point they claimed they did not consider it a security issue - and it's still not fixed...
(As per FT rule 7, this is my blog - in case my username didn't give that away...)
Feb 22, 2019, 7:00 am
#2
Join Date: Mar 2014
Location: PWM
Programs: AA Plat
Posts: 1,335
Just in case you needed another reason not to leave your boarding pass in the back of your seat...
United's "buy miles" websites, which is actually run by Points.com allows you to take a Mileage Plus number and a surname (both in the barcode on a boarding pass, plus obviously in countless other places) and use them to obtain multiple personal details including home address, phone number, email address, miles balance, whether you have a co-branded credit card, and more...
United's "buy miles" websites, which is actually run by Points.com allows you to take a Mileage Plus number and a surname (both in the barcode on a boarding pass, plus obviously in countless other places) and use them to obtain multiple personal details including home address, phone number, email address, miles balance, whether you have a co-branded credit card, and more...
Would you blame a bank if someone left their username and password on a bus and a stranger got into their account?
Feb 22, 2019, 10:42 am
#3
FlyerTalk Evangelist
Join Date: Aug 2015
Posts: 11,461
Just in case you needed another reason not to leave your boarding pass in the back of your seat...
United's "buy miles" websites, which is actually run by Points.com allows you to take a Mileage Plus number and a surname (both in the barcode on a boarding pass, plus obviously in countless other places) and use them to obtain multiple personal details including home address, phone number, email address, miles balance, whether you have a co-branded credit card, and more...
https://blog.docbert.org/united-airl...on-disclosure/
United was notified of this over 18 months ago, at which point they claimed they did not consider it a security issue - and it's still not fixed...
(As per FT rule 7, this is my blog - in case my username didn't give that away...)
United's "buy miles" websites, which is actually run by Points.com allows you to take a Mileage Plus number and a surname (both in the barcode on a boarding pass, plus obviously in countless other places) and use them to obtain multiple personal details including home address, phone number, email address, miles balance, whether you have a co-branded credit card, and more...
https://blog.docbert.org/united-airl...on-disclosure/
United was notified of this over 18 months ago, at which point they claimed they did not consider it a security issue - and it's still not fixed...
(As per FT rule 7, this is my blog - in case my username didn't give that away...)
I don't have expertise in computer security, so I can't comment on whether it's a large risk exposure, but it certainly seems like they're not going by a standard of minimum necessary information.
Feb 22, 2019, 10:21 pm
#4
Original Poster
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, Hilton Diamond, Marriott Something, IHG Gold, Hertz PC, Avis PC
Posts: 8,156
Well after 19 months of no action, within a day of me making this issue public United has fixed it - buymiles.mileageplus.com now uses MP number + password to login, rather than MP number + surname as it did previously.
Great to see it's fixed - It's just a pity that it took so long and required public disclose before they though it worthy of fixing.
Great to see it's fixed - It's just a pity that it took so long and required public disclose before they though it worthy of fixing.