Summary
- Hacker Sam Curry discovered flaws in Points.com's platform, potentially putting frequent flyer programs at risk. The vulnerabilities allowed access to 22 million orders, personal data, and the ability to transfer points and modify accounts.
- Specific vulnerabilities were found in Virgin Atlantic and United MileagePlus accounts, allowing hackers to add/remove points, transfer miles, and access personal information.
- Points.com promptly responded and fixed the issues, but the incident highlights the need for increased security measures in frequent flyer programs to protect valuable data and prevent financial risks.
As cyberattacks become more common globally, frequent flyer programs are no exception, and given their high cash value, they can be a lucrative target. This made hacker Sam Curry's recent revelation about flaws in Points.com's platform alarming for many. The firm handles transactions for programs such as American's AAdvantage, Emirates' Skywards, Virgin Atlantic's Flying Club, and many more. Sam Curry handed over the research to Points.com, who promptly fixed their systems, but the flaws before were gaping.
Access to 22 million orders
You've likely encountered Points.com when trying to buy or transfer points, with the company handling the payment and transfer of miles to the account. Considering its reach, hacker Sam Curry and a few others teamed up to see if they could exploit any vulnerabilities to affect balances or see personal data. They worked between March and May of this year, finding several issues.
In March, they were able to use an unauthenticated HTTP to access an internal API that could query 22 million orders. Each order contained partial credit card numbers, names, addresses, frequent flyer numbers, phone numbers, and more. With 100 results per request, hackers could sort for accounts and access all the above details.
Another issue they found due to an improperly configured API was that accounts could be accessed with only the frequent flyer number and surname. This allowed access to billing history, order history, and, crucially, customer transfer points. The two vulnerabilities combined could have led to massive losses and valuable data in the hands of bad actors.
Love learning about points and miles? Read more of our loyalty news and guides here.
Virgin Atlantic and United found out
In May, the team found vulnerabilities specific to Virgin Atlantic's Flying Club page hosted by Points.com due to leaked authentication keys. In particular, the hackers were able to access Points.com's page for the airline and modify accounts. This meant the ability to add or remove points or modify any other setting in your Virgin account.
United MileagePlus accounts faced another issue: hackers could generate an authorization token using only a MileagePlus number and surname. This allowed authentication on several apps, and hackers could transfer miles to themselves. In addition, names, billing addresses, email, and redacted credit card information could be accessed.
Finally, the hackers were able to access the Points.com global administration website by guessing a key cookie access code (Flask session secret) as "secret." This allowed the group to give themselves administrator access and unlimited authority to change the value of points (1:1 to 1:1 million was the example), manage promotions, lookup users, and much more.
Points.com responded promptly
Sam Curry and the team handed over their information to Points.com, who fixed most of them in minutes, either on the spot or by temporarily taking down the website. The final issue of administrator access took an hour to resolve. However, it is good to see that the firm is at least on top of patching security issues, despite letting them exist for an unknown period.
In addition to affecting users, frequent flyer points are valuable currency that can be redeemed for cash equivalents, making this a considerable privacy and financial risk for airline clients. Therefore, these demand high levels of protection, and undoubtedly this report will shake up other players into beefing up protocols as well. For now, we can only be thankful that the vulnerabilities were found by a group without nefarious intentions and reported them promptly.
In a statement to Simple Flying, a Points.com spokesperson noted,
"As part of our ongoing data security activities, Points recently worked with a group of skilled security researchers concerning a potential cybersecurity vulnerability in our system...During this assessment, low-risk information pertaining to a small number of members -- approximately 50 -- was briefly accessible to the group of security researchers. There was no evidence of malice or misuse of this information, and all data accessed by the group has been destroyed."
"As with any responsible disclosure, upon learning of the vulnerability, Points acted immediately to address and remediate the reported issue. Our remediation efforts have been vetted and verified by third-party cybersecurity experts."
Source: samcurry.net