A security researcher said it took United Airlines nearly six months to patch a serious vulnerability that could have been exploited to access customer information and manage flight reservations.
A couple of weeks after United Airlines launched its bug bounty program, software developer and security researcher Randy Westergren started analyzing the company’s Android mobile app which, according to Google Play, currently has between one and five million installs.
The expert created an account for MileagePlus, United’s frequent flyer program, and began analyzing the requests sent by the mobile application. Westergren discovered that changing one of the parameters,mpNumber, which is likely the MileagePlus number, allowed an attacker to access a different MileagePlus account.
These types of vulnerabilities, known as insecure direct object references (IDOR), can be easily exploited by an attacker simply by changing the value of a parameter in the request sent by the app to the server. The researcher tested the vulnerability in the United Airlines API by creating a second MileagePlus account that he used to book a flight.
Changing the value of the mpNumber parameter to the one of the second test account revealed a lot of information, including the customer’s name and the value of a parameter named recordLocator. These two pieces of information could have allowed an attacker to access a user’s reservations and modify or cancel their flight.
The flight reservation page includes information such as flight departure and arrival, and payment details, including payment method and last four digits of the credit card number.
Westergren discovered that the vulnerability also exposed information that could have been used to enter United Clubs in airports.
The flaw was reported to United Airlines on May 27 and the company informed the expert on July 13 that his submission was a duplicate. However, Westergren says the airline only patched the vulnerability in mid-November, after he informed them of his intention to publicly disclose the issue, and after the company was contacted by reporters who wanted to cover the researcher’s findings. United Airlines has blamed the delay on the large number of vulnerability reports it has received.
“Overall, I think bug bounty programs are a great step in the right direction, but running one effectively is critical. Though the intention to publicly disclose the vulnerability appears to have pressured United to fix it, I suspect that the request for comment by media personnel ultimately forced them to take the necessary action,” Westergren said in a blog post on Sunday.
United Airlines has provided the following statement:
“The protection of our customers’ information is one of our top priorities, and we have extensive security measures in place to safeguard their personal data. We have addressed this issue and are confident that our systems are secure. We remain vigilant in protecting against unauthorized access and will continue to use best-practices on cyber-security to maintain our effectiveness.”
This was not the first time Westergren found serious security holes in the mobile apps of a major company. Earlier this year, the expert reported discovering similar vulnerabilities in mobile applications offered by Verizon, Marriott, and Delmarva Power.
United Airlines launched its bug bounty program in May, when it announced that researchers could earn air miles for responsibly disclosing security flaws found in the company’s websites and mobile apps. One bug bounty hunter earned one million free air miles, estimated to be worth roughly $25,000, after finding a critical remote code execution vulnerability.
Vulnerabilities such as the one discovered by Westergren can pose a serious threat considering that the airline has been reportedly targeted by malicious actors. The Chinese threat group that is believed to have breached the systems of the United States Office of Personnel Management (OPM) and healthcare giant Anthem is also said to have stolen information from United Airlines, including passenger details.
SOURCE: Eduard Kovacs | SecurityWeek.com