Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

United Airlines Patches Serious Flaw After 6 Months

A security researcher said it took United Airlines nearly six months to patch a serious vulnerability that could have been exploited to access customer information and manage flight reservations.

A security researcher said it took United Airlines nearly six months to patch a serious vulnerability that could have been exploited to access customer information and manage flight reservations.

A couple of weeks after United Airlines launched its bug bounty program, software developer and security researcher Randy Westergren started analyzing the company’s Android mobile app which, according to Google Play, currently has between one and five million installs.

The expert created an account for MileagePlus, United’s frequent flyer program, and began analyzing the requests sent by the mobile application. Westergren discovered that changing one of the parameters, mpNumber, which is likely the MileagePlus number, allowed an attacker to access a different MileagePlus account.

These types of vulnerabilities, known as insecure direct object references (IDOR), can be easily exploited by an attacker simply by changing the value of a parameter in the request sent by the app to the server. The researcher tested the vulnerability in the United Airlines API by creating a second MileagePlus account that he used to book a flight.

Changing the value of the mpNumber parameter to the one of the second test account revealed a lot of information, including the customer’s name and the value of a parameter named recordLocator. These two pieces of information could have allowed an attacker to access a user’s reservations and modify or cancel their flight.

The flight reservation page includes information such as flight departure and arrival, and payment details, including payment method and last four digits of the credit card number.

Westergren discovered that the vulnerability also exposed information that could have been used to enter United Clubs in airports.

The flaw was reported to United Airlines on May 27 and the company informed the expert on July 13 that his submission was a duplicate. However, Westergren says the airline only patched the vulnerability in mid-November, after he informed them of his intention to publicly disclose the issue, and after the company was contacted by reporters who wanted to cover the researcher’s findings. United Airlines has blamed the delay on the large number of vulnerability reports it has received.

Advertisement. Scroll to continue reading.

“Overall, I think bug bounty programs are a great step in the right direction, but running one effectively is critical. Though the intention to publicly disclose the vulnerability appears to have pressured United to fix it, I suspect that the request for comment by media personnel ultimately forced them to take the necessary action,” Westergren said in a blog post on Sunday.

United Airlines has provided the following statement:

“The protection of our customers’ information is one of our top priorities, and we have extensive security measures in place to safeguard their personal data. We have addressed this issue and are confident that our systems are secure. We remain vigilant in protecting against unauthorized access and will continue to use best-practices on cyber-security to maintain our effectiveness.”

This was not the first time Westergren found serious security holes in the mobile apps of a major company. Earlier this year, the expert reported discovering similar vulnerabilities in mobile applications offered by Verizon, Marriott, and Delmarva Power.

United Airlines launched its bug bounty program in May, when it announced that researchers could earn air miles for responsibly disclosing security flaws found in the company’s websites and mobile apps. One bug bounty hunter earned one million free air miles, estimated to be worth roughly $25,000, after finding a critical remote code execution vulnerability.

Vulnerabilities such as the one discovered by Westergren can pose a serious threat considering that the airline has been reportedly targeted by malicious actors. The Chinese threat group that is believed to have breached the systems of the United States Office of Personnel Management (OPM) and healthcare giant Anthem is also said to have stolen information from United Airlines, including passenger details.

*Updated with statement from United Airlines

Related Reading: Army Experts Call for Vulnerability Response Program

Related Reading: Invitation-Only Bug Bounty Programs Becoming More Popular

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.