> That means the attack surface for accessing someone's account is NP hard, but N is always equal to 4.<p>FYI, the "N" in "NP hard" is not a number. It stands for nondeterministic. The mention of "NP hard" in the first place just seems...unnecessary.
It's not a bug <i>for the purposes of a bug bounty program</i> because logging in with a 4-digit pin is the actual design, not an unintended flaw in implementation
Title seems quite linkbaity. In a 4digit PIN-based system, being able to log in with a 4 digit PIN isn't a vuln, it's how the system works.<p>They even state up-front that improvements to the system are in the works.
Also, when you factor in the human tendency to pick very easily guessed PIN codes, it's laughably easy. [1] 11% are "1234"<p>Also, when you log into the United website, you can transfer airline miles. True, once someone complains about their miles disappearing, United might pull them back and ban the receiving account, but it might take a while.<p>It would be trivially easy to steal lots of airline miles into one hacked account and then sell them onto other people on the open market. When United takes them back, the buyers will be without recourse.<p>[1] <a href="http://www.datagenetics.com/blog/september32012/index.html" rel="nofollow">http://www.datagenetics.com/blog/september32012/index.html</a>
Well, is that how it's supposed to be functioning?<p>The tweet says it's a security vulnerability, their response says it's functioning as designed. Not mutually exclusive.