2023-08-07 22:19:45
The benefits of joining a particular club over others are highlighted in travel rewards programs like those offered by airlines and hotels. However, the digital architecture of several of these programs, including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy, is based on the same platform behind the scenes. The backend was developed by Points, a company that specializes in loyalty commerce and offers a set of services, one of which is an extensive application programming interface (API). Between the months of March and May 2023, reports were received from points.com with security flaws. This information about the vulnerabilities in the Points.com API was made public by a group of cybersecurity experts on August 3, 2023, along with the technical details of their attack.
Attackers would have access to sensitive customer account information, the ability to transfer customer account points, and gain unauthorized access to a global admin website using these reported vulnerabilities. Points.com is the company that handles the storage and processing of rewards points for the vast majority of major hotel and airline loyalty programs.
Between the months of March and May, researchers under the names of Ian Carroll, Shubham Shah and Sam Curry disclosed a number of vulnerabilities to Points.com and all issues have since been fixed.
An unauthenticated HTTP call to an internal API was the initial vulnerability they discovered and reported on March 7, 2023. If an attacker had exploited this flaw, they would have been able to query data from 22 million customers.” The data contained in the records included partial credit card numbers, home addresses, email addresses, phone numbers, reward point numbers, customer authorization tokens, and various transaction details,” said Sam Curry, a researcher at the field of cybersecurity. “The data also included details of miscellaneous transactions.”
Permission bypass was the second vulnerability they discovered and disclosed on March 7, 2023.
Information about the private life of customers made public. Through the misuse of an application programming interface (API), it would be possible for an adversary to steal other customers’ airline reward points by knowing only their last name and reward point number.
The third vulnerability they disclosed on May 2, 2023 was a tenant credential leak issue on an endpoint hosted by the Virgin Rewards program. This vulnerability gives attackers the ability to sign API requests on behalf of Virgin Airways (add or remove rewards points, access customer accounts, modify rewards program settings, etc.). This vulnerability was discovered on an endpoint hosted by the Virgin Rewards program.
On April 29, 2023, they discovered the fourth vulnerability, which was particularly present on United Airlines. This flaw allowed an attacker to produce an authorization token for any user just by knowing the user’s bounty number and last name.
The attacker can provide an authorization token.
Due to this vulnerability, an attacker could perform actions such as transfer miles to himself and authenticate as a member in various MileagePlus-related applications, which could even include the MileagePlus administrator panel. The most recent vulnerability they discovered was on May 2. , 2023, and allowed an attacker to gain full access to the globalpoints.com admin interface, as well as the loyalty wallet admin panel.
An adversary can abuse this access to revoke already established rewards program credentials and temporarily disable airline rewards functionality.
Points.com staff acknowledged each issue within an hour of receiving it, demonstrating how quickly they reacted after being made aware of the vulnerabilities.
They immediately took down the affected websites for in-depth examinations, and subsequently fixed all the flaws that were discovered. According to Sam Curry’s team, “all vulnerabilities that were reported have since been remediated.”
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad
#find #unlimited #free #airline #miles #hotel #nights