How to Get Unlimited Airline Miles: Researchers Find the Cheat Codes
That’s not supposed to happen.
A team of three ethical hackers found five huge bugs in Points.com. The service, which many airlines and others use as a way of converting frequent-flyer miles and points, quickly fixed the vulnerabilities.
But the ease with which the team found them is kinda worrying. In today’s SB Blogwatch, we wonder what else is lurking that lets scrotes steal quasi-currency.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Famous guitar solos on bagpipes.
Points of Interest
What’s the craic? Lily Hay Newman reports—“Hackers Could Have Scored Unlimited Airline Miles”:
“Supply chain attacks”
Under the hood … the digital infrastructure for many of these programs—including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy—is built on the same platform. The backend comes from the loyalty commerce company Points.
…
Vulnerabilities in the Points.com API could have been exploited to expose customer data, steal customers’ “loyalty currency” (like miles), or even compromise Points global administration accounts to gain control of entire loyalty programs. … An encrypted cookie assigned to each user had been encrypted with an easily guessable secret—the word “secret” … the researchers could decrypt their cookie, reassign themselves global administrator privileges for the site … and essentially assume god-mode-like capabilities.
…
The researchers focus their work on platforms that become critical because they are acting as shared infrastructure among a number of organizations. … Bad actors are increasingly homing in on this strategy as well, carrying out supply chain attacks … in widely used software and equipment.
Horse’s mouth? Sam Curry, with Ian Carroll and Shubham Shah—“Hacking the Largest Airline and Hotel Rewards Platform”:
“It’s super interesting”
Between March 2023 and May 2023, we identified multiple security vulnerabilities within points.com. [They] responded very quickly, acknowledging each report within an hour. They promptly took affected websites offline to conduct thorough investigations and subsequently patched all identified issues. … The detection and response by the points.com team was seriously impressive.
…
Our first report was an unauthenticated HTTP path traversal allowing access to an internal API. … The second vulnerability we reported was an authorization bypass that would allow an attacker to transfer airline rewards points. … On May 2nd, 2023, we discovered an endpoint … that leaked the “macID” and “macKey” used by Virgin to authenticate. … On April 29th, 2023, we identified an additional fourth vulnerability … where an attacker could generate an authorization token for any user. … On May 2nd, 2023, we identified that the Flask session secret … was the word “secret” [giving] super administrator permissions.
…
From a hacker’s perspective, it’s super interesting seeing a system that stores … value that’s essentially one-step from being used as an actual currency. … The holy grail for us would be the ability to generate unlimited miles. We’d never be able to actually exploit it (ethically), but just the idea of finding a way to travel the world with free first class flights, five star hotels, cruises, and meals kept us going.
Centralization—gotta love it. Rombobjörn doesn’t:
All the eggs in a single basket, hanging by the thread of “secret” — isn’t centralization great? At least the managers of Points were smart enough to not try to sue the researchers instead of fixing their vulnerabilities.
Does Points.com have a bug bounty program? u/matttcheeww has an inquiring mind:
I wonder how much compensation they got for this. The potential airline benefits … would’ve been astronomical.
Supply chain is one analogy. balthazarr has another:
It’s akin to monoculture agriculture: It’s much harder to control pests and weeds. … If there’s a single provider that supplies almost everyone, a breach of that one provider — which will happen, it’s only a matter of when, not if — then all the … schemes are vulnerable and hosed.
Are we surprised? It’s not a huge surprise to this Anonymous Coward:
I used to work for [United Airlines]. Anyone could have gamed the system for free credit. … You’re pretty much on the honor system if you do anything back end for an airline.
Although the firm did a good remediation job, overstitch sounds slightly sarcastic:
Points.com claims enterprise grade security on their front page. Totally seems legit. /s
Meanwhile, did somebody say free miles? bill_mcgonigle pictures the scene:
Low DEFCON Attendance, suddenly.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Midland Airport (cc:by-nd; leveled and cropped)
