According to WorldMate security officer Yosi Dahan, a threat actor could easily lock-out United Airlines users from their accounts. Dahan explained that reported the security issue in March under the United Airlines bug bounty program, but he hasn’t received the reply from the company.
Dahan reported in The Register that someone could run a brute-force attack by enumerating MileagePlus account numbers and force a significant number of United Airlines customers to contact the company customer care service due to unclock their blocked accounts.
Four incorrect attempts cause the block of the account that could be unlocked after a phone call to an operator of the United Airlines.
“An attacker can generate a targeted attack against UA in which he will be able to lock all the accounts related to the MileagePlus program by generating a user ID and random pin codes combined of four numbers, or some random passwords,” Dahan says. “In order to unlock and reset the password of the locked account, a user would have to call the support center.”
As usually happens in these cases, in order to run a bruteforce attack it is sufficient to write a few lines of code as confirmed by Dahan.
“With a simple script, an attacker can generate any account ID in the form of AA000000, for example: AA000001, AA000002 until he reaches ZZ999999.” he said.
Another element of concern related to the MileagePlus system is that the service will inform users when they are using a wrong identification number distinguish the case of erroneous password usage. This means that an attacker can have further information to drive its brute force attack.
Just for curiosity, differently from other bounty programs, the United Airlines is offering flyer points, remote code execution bugs are awarded with the greatest number of points.
Let’s wait for a comment from the United Airlines.
(Security Affairs – United Airlines, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.