A vulnerability reported to United Airlines that could have been exploited to manipulate flight reservations and customer data sat unpatched for almost six months before it was fixed 10 days ago.
Researcher Randy Westergren found and reported an issue in United’s mobile app in May, shortly after the airline announced its bug bounty program, the first in its industry. A patch, however, arrived only after six months of back-and-forth with United and Westergren promising to disclose the issue and alerting a tech publication.
The vulnerability was located in an API endpoint that exposed personal information of any United MileagePlus frequent flier program member. Westergren said his attack involved creating an account, booking a flight and examining requests made by the app. He saw that he could change a particular parameter, mpNumber, and return flight and contact information for any MileagePlus member.
“The vulnerability essentially allowed for an attacker to specify the MileagePlus number during the request that fetches upcoming flights. This means one could be logged in to their own account but request the details of another account,” Westergren told Threatpost.
“Though the MileagePlus numbers were not sequential, they did seem to follow a predictable format,” he said. “A broad attack would include guessing the mpNumber and making a request to the vulnerable endpoint. A targeted attack would simply require an attacker know the victim’s mpNumber.”
The vulnerability is known as an indirect object reference vulnerability, putting in jeopardy any data referenced by the parameter. The responses returned the recordLocator data along with the customer’s last name, enough information Westergren said, to allow an attack to manage any flight reservation.
“This includes access to all of the flight’s departures, arrivals, the reservation payment receipt (payment method and last 4 of CC), personal information about passengers (phone numbers, emergency contacts), and the ability to change/cancel the flight,” he wrote in a blog post explaining the situation.
In mid-July, Westergren was informed the issue was a duplicate and thus not eligible for a reward. Nonetheless, Westergren continued to press United for a patch only to have the airline push back saying that only the original reporter will receive updates.
United subsequently validated the vulnerability in August and said in September it was “in queue” to be patched. But as of Nov. 5, the vulnerability had not yet been patched and Westergren informed United of his intention to disclose on Nov. 28, six months after the initial disclosure. United replied that it was swamped with submissions to its bounty and a reminder that that public disclosures would permanently disqualify Westergren, who then went to a media contact with the story and only then, he said, after the publication contacted United for comment, was the patch expedited.
“I was informed that the bug was a duplicate submission. United’s policy is to award the first submitter only (this is pretty standard for bounty programs),” Westergren said. “United did not prove it to me, nor do I think they would be under any obligation to do so.”
Westergren is no stranger to uncovering vulnerabilities in web and mobile applications. He’s been credited with finding bugs in Z-Way home automation software, Marriott’s Android mobile app, Verizon’s MyFIOS mobile app, and the MyFitness Pal fitness mobile app. He said this was not his first negative go-round with a vendor regarding disclosure, though it was the first hardship he’s had with a bug bounty.
“The fact that there was a bug bounty program involved, at least from my perspective, was largely irrelevant — including the reward. I hold all relationships with vendors to the same accountability, regardless of the existence of a bug bounty program,” Westergren said. “With that said, I think bug bounties are an overall positive for the security community — this experience doesn’t change that for me.”