If you've participated in their program, you'll probably find that they have their fair share of issues. This is probably where their delay is coming from (but not a valid excuse). I found two serious problems in less than a hour. I reported the issues to them and was subsequently told that both submissions were out of scope and a firm warning to follow the rules. You're welcome for the free findings.
Interesting terms, if you can't talk about it afterwards how do people know that any of these bounties were paid out? After all there is a pretty simple loophole here: mark any and all reports as duplicates, no need to pay out.
The author is being nice calling it a bug. A buffer overflow is a bug. This is a moronic design, like a sql vulnerability. I am shocked that in these days and age, so many web developers have not adopted the mentality "everything coming back from the client may and will ultimately be tainted". Relying on an ID provided by the client without checking the appropriate access is unexcusable. How many years ago was the Dell shopping cart bug (where a client could alter the price of an order)?
Is six months really unreasonable for a big bloated bureaucracy like United Airlines? I've worked on projects for smaller tech companies with release cycles longer than that. Not defending--obviously they should be set up to be able to put out small emergency fixes quickly especially if they're running a bug bounty. But, hey, it's an airline: releasing software is not exactly their bread and butter.
I reported 2 admittedly minor web security bugs to them several months back that surprisingly I was apparently the first to report, but still haven't heard back about either.
If you know the PNR of an itinerary and the person's last name you can quite easily do most of what was described in this article via United's website or over the phone. Always makes me laugh when I see folks posting full images of their plane tickets online, they so easily could have their travel plans screwed. :(
Just checked this using mitmproxy. My United MileagePlus Account is definitely there.<p>Also, you need a valid MP#, and the # is not sequential (nor all numbers).<p>At least they're using https.<p>Edit: Also annoying the app keeps making calls to Gogo wifi and some other Wifi page.<p>Edit2: I just realized United _did_ fix it. Thought it said they refused to fix it.
It's so funny to see how surprised people are about the "corp" IT compared to the "free" IT world. Once I was also surprised about how long it takes and that very important things can be out of scope.<p>I think the reason is that in fact in teams >10 people nobody really knows what's going on. That anything happens is more the result of many attempts and some luck. That nothing succeeds is the default.<p>Think of it more as "Twitch Programs Flight Ticketmanager App" than actual software development as you read it in a book. (I once worked with >5 other guys on getting a string in one computer pointing to another computer, took the whole week)
> Using just these two values, an attacker could completely manage any aspect of a flight reservation using United’s website.<p>Don't most airline websites allow that when you get the last name and date of departure right?