A security expert discovered that United Airlines accounts could be locked-out by running a brute-force attack. The effects on a large scale could be serious.
According to WorldMate security officer Yosi Dahan, a threat actor could easily lock-out United Airlines users from their accounts. Dahan explained that reported the security issue in March under the United Airlines bug bounty program, but he hasn’t received the reply from the company.
Dahan reported in The Register that someone could run a brute-force attack by enumerating MileagePlus account numbers and force a significant number of United Airlines customers to contact the company customer care service due to unclock their blocked accounts.
Four incorrect attempts cause the block of the account that could be unlocked after a phone call to an operator of the United Airlines.
“An attacker can generate a targeted attack against UA in which he will be able to lock all the accounts related to the MileagePlus program by generating a user ID and random pin codes combined of four numbers, or some random passwords,” Dahan says. “In order to unlock and reset the password of the locked account, a user would have to call the support center.”
As usually happens in these cases, in order to run a bruteforce attack it is sufficient to write a few lines of code as confirmed by Dahan.
“With a simple script, an attacker can generate any account ID in the form of AA000000, for example: AA000001, AA000002 until he reaches ZZ999999.” he said.
Another element of concern related to the MileagePlus system is that the service will inform users when they are using a wrong identification number distinguish the case of erroneous password usage. This means that an attacker can have further information to drive its brute force attack.
Just for curiosity, differently from other bounty programs, the United Airlines is offering flyer points, remote code execution bugs are awarded with the greatest number of points.
Let’s wait for a comment from the United Airlines.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.