Poking about a United Airlines online property might not seem to be the wisest course of action for a professional hacker given the fallout over the Chris Roberts saga, but Jordan Wiens insists he wasn’t deterred.
Wiens, who founded a security company in Florida called Vector 35 and not too long ago worked for a government contractor, submitted what he thought were a couple of “lame” bugs to United’s two-month-old bug bounty program—his first commercial bounty submission. The payoff was anything but weak.
Last Friday, Wiens was awarded one million miles for a remote code execution vulnerability, United’s highest payout and the first of its kind; United’s bug bounty is the first for a major airline.
— Jordan Wiens (@psifertex) July 10, 2015
United’s bounty was announced shortly after the incident with Roberts, who tweeted during a flight that he had access to the aircraft’s in-flight entertainment system. Roberts was questioned by the FBI, who allegedly said Roberts told investigators he took control of the airplane and caused it to climb and turn.
Wiens, who is bound by the rules of the bounty not to share details on the vulnerability he found, said he wasn’t particularly worried about the ramifications of the Roberts incident on his work.
“[United] put out the bounty, which means they clearly want help,” Wiens said. “I didn’t have to test for the remote code execution bugs. I was passively poking the site and being careful about how much I was tampering. There wasn’t a whole lot of aggressive testing that I had to do. I knew I was in the clear.”
Remote code execution bugs are one of 10 bug classes eligible for bounties under United’s program; others include authentication bypass vulnerabilities, vulnerabilities on customer-facing websites and the United mobile app, cross-site request forgery, cross-site scripting, information disclosure, timing and brute-force attacks. Bugs on internal sites, partner sites and apps, on-board Wi-Fi, entertainment and avionics systems are out of scope.
United offers bounty winners only miles as a payout, with 50,00 awarded for XSS and CSRF bugs, 250,000 for authentication bypass, brute force attacks, PII disclosures and timing attacks, and one million miles for remote code execution bugs.
“There were actually two bugs that I submitted that I were pretty sure were remote code execution, but I also thought they were lame and wasn’t sure if they were on parts of the infrastructure that qualified,” Wiens said. “My expectation was that they counted, but I figured they’d award me 50,000 miles or something smaller.”
Instead, he got a message from United asking him to confirm his U.S. citizenship and whether the research was done on U.S. soil.
“I was hoping this wasn’t a honeypot,” Wiens joked. “Two hours later, I got a message to check my account that I had gotten my million miles.
“Give [United] credit,” he said. “Not a lot of companies that are not tech companies have a bug bounty program.”
Wiens said he’s done a number of permutations on what one million miles are worth and what he can do with them. As for monetary value, it’s around $25,000, which is a better payout than most commercial bug bounties. Wiens figures he has a number of options that range from using most of the miles on a first-class around-the-world trip to breaking them down to 40 domestic round-trip flights.
In the meantime, Wiens said he won’t disclose any details that would put the winnings in jeopardy.
“The best details I can share is that it was a remote code execution bug, and I didn’t have to test it to know it was remote code execution,” Wiens said, adding that it took him about six hours of work. “Finding the right domain and area to poke at was the interesting part.
“I never submit to bounties,” he said. “I’ve done a lot of vulnerability research, but always on my own, never public bug bounties before. I’ve never done commercial web app stuff before.”