Hacking the largest airline and hotel rewards platform (2023)

I’m really impressed at the number of times they say their counterparts responded to their report in under an hour, immediately took the affected site offline, then resolved the issue quickly.<p>That seems like an enviable operation.

I&#x27;ve always felt most such rewards program portals and apps were more hack-jobs than serious applications and thus, would be riddled with issues like these. I&#x27;m from India and I see many of these sites come and go all the time but not a single one has inspired confidence in me about keeping my data safe. For example, even the topmost cards here (HDFC Diners&#x2F;Infinia) have a shoddy website, mostly a reskinned version of their generic rewards platform&#x2F;partner.<p>And I&#x27;m not just hand-waving here cause there are many forums that discuss taking advantage of their bad implementations to maximize returns. Even when one eventually gets patched, another springs up.

Fun read! So close to unlimited point generation and process tickets for those fancy flights~<p>I would say if you wanted to generate &quot;free&quot; flights, which is entirely possible, learn how GDS works and the workflow for a ticket purchase and how a coupon is attached ;) but that would probably be going to far then just normal poking and secure disclosure but there is enough techdebt that if you know how one airline processes a ticket, it will work on quite a few other too!<p>You can also do very tricky things too that would process as normal for a majority of airlines too - event though most airlines may fall onto amadeus&#x2F;sabre, you&#x27;d be surprised (or not really) at the front end that will allow almost anything - and &quot;farecodes&quot; that could rewrite a ticket which have been exposed to customer facing endpoints that are best verified, with only an active PNR.<p>Then again, I do recall a famous post on here about australian politician and someone jusing using view source to verify a quantas ticket.

It&#x27;s interesting United Airlines is mentioned here. I am a security researcher and found vulnerabilities through the United Airlines bug bounty program last year. They pay you in miles instead of money.<p>The problem is that they gift them to you instead of what you might get from a credit card rewards program. You end up having to pay a 2% tax on the total amount in points (at least in the US).<p>When I made the calculations, I am actually paying more in taxes on the points than if I just paid for the flights myself. They end up being almost completely worthless.

Is taking the website offline really necessary? If the vulnerability has been there for 1 year or so already, what harm does it being there for 1 year and an hour do? Also, maybe it&#x27;s not clear to me exactly what is getting taken down, but I&#x27;m amazed that the chain from &quot;person reading email&quot; to &quot;person that is permitted to take down the website&quot; moves so quickly (or that the latter right is given so low in the hierarchy).

&gt; On May 2nd, 2023, we identified that the Flask session secret for the points.com global administration website used to manage all airline tenant and customer accounts was the word &quot;secret&quot;. After discovering this vulnerability, we were able to resign our session cookies with full super administrator permissions.<p>Seriously?

It&#x27;s so funny to me, this is normally read aloud as &quot;security vulnerabilities disclosed after patching&quot; but in reality this is a natural part of how software is made. You make compromises. Terrible ones. Security ones. In the beginning. Not always, but some places, some applications, some websites, some languages, sometimes you make some concessions for sake of simplicity or prototyping or proof-of-concept&#x27;ing that ends up making it all the way to prod. And then these &quot;vulnerabilities&quot; are really things that mean your company grew way faster than you anticipated, and lucky for you some ethical hackers &quot;exploited&quot; these concessions, first.

Impressively fast responses from Points.com!

The secret was &quot;secret&quot;.

Does anyone know what sort of market share points.com has in this space? It&#x27;s always interesting to spot correlations between market fragility and a lack of competition (as in the case of the recent Crowdstrike and CDK Global outages).

Is this why &#x2F; when airmiles when bankrupt and get bought out at the 11th hour by BMO?<p><a href="https:&#x2F;&#x2F;newsroom.bmo.com&#x2F;2023-03-10-BMO-Confirms-Agreement-to-Acquire-LoyaltyOnes-AIR-MILES-Reward-Program-Business" rel="nofollow">https:&#x2F;&#x2F;newsroom.bmo.com&#x2F;2023-03-10-BMO-Confirms-Agreement-t...</a>

It’s amazing to me that these well known attack vectors are still possible today.<p>Reading about directory traversal in 2023-2024 is like a blast from the past.

Anyone know of other blogs similar to Sam Curry&#x27;s web API exploitation stuff?

Insane vulnerabilities. The massive mismatches between authentication and authorization scopes are crazy. Encrypting data with &quot;secret&quot; as the key is also a facepalm.

The image is a probably an img2imgd pepe dealer :)

This is only tangentially related but it always blows my mind how insecure airline booking portals are. For many (most?) airlines all you need is the booking reference (PNR number) and surname to log in and see flight itinerary, contact details and, in some cases, change or cancel the booking. No password or MFA needed.<p>The kicker is that your PNR number and surname are encoded in the barcode on your boarding pass, easily scannable with a phone app. If you ever post a boarding pass online you&#x27;re unintentionally doxxing yourself and potentially letting people screw with your flights.<p>I&#x27;ve seen celebrities do this, and during the Cloudstrike outage one tech CEO posted his handwritten boarding pass on Twitter with the PNR in full view.<p><a href="https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2017&#x2F;08&#x2F;why-its-still-a-bad-idea-to-post-or-trash-your-airline-boarding-pass&#x2F;" rel="nofollow">https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2017&#x2F;08&#x2F;why-its-still-a-bad-idea...</a>