Points.com: Unveiling the Vulnerabilities Behind Customer Data Theft and Rewards Program Hacking

Vulnerabilities in points.com Exposed Customer Data Theft and Rewards Program Hacking

Introduction

Multiple vulnerabilities in the popular airline and hotel rewards platform, points.com, have been identified by security researchers. These vulnerabilities could have allowed attackers to access users’ personal information, transfer points between accounts, and gain unauthorized administrative access. The security team at points.com has responded quickly to the vulnerability reports and addressed each issue promptly.

Details of the Vulnerabilities

The security researchers, Ian Carroll, Shubham Shah, and Sam Curry, identified five security defects in points.com over several months. These vulnerabilities allowed attackers to gain unauthorized access to sensitive user information, including names, addresses, emails, phone numbers, and transactions. Additionally, the vulnerabilities could have enabled attackers to transfer points between accounts and access the global administrator website, granting permissions to issue points and manage loyalty programs.

Unauthenticated HTTP Path Traversal Bug

In early March, the researchers discovered an unauthenticated HTTP path traversal bug that could have been exploited to access an internal API exposing a database of 22 million order records. This database contained partial credit card numbers, home addresses, email addresses, phone numbers, reward points numbers, customer authorization tokens, and transaction details. An API call could retrieve 100 results per HTTP request, leading to potential data theft.

Authorization Bypass in an Improperly Configured API

The researchers also reported an authorization bypass in an improperly configured API, which could have allowed attackers to transfer airline rewards points from users. By generating full account authorization tokens, attackers could manage customer accounts and view their information.

Bug Impacting United Airlines

Another vulnerability was reported in the United Airlines rewards program. Attackers could generate an authorization token for any user account by simply knowing their rewards number and surname. This would allow attackers to transfer miles to themselves and authenticate as the member on various apps related to MileagePlus, potentially gaining access to sensitive information, including names, billing addresses, redacted credit card information, email addresses, phone numbers, and past transactions.

Authentication Information Leakage on Virgin Rewards Website

The researchers discovered that a points.com-hosted Virgin rewards website was leaking API authentication information. Attackers could impersonate the airline, make API calls to modify accounts, add/remove points, and modify the Virgin rewards program settings.

Flask Session Secret for points.com Global Administration Website

In May, the researchers discovered the Flask session secret for the points.com global administration website. This secret allowed them to create session cookies with super administrator permissions, granting access to all core administration functionality on the website. An attacker could abuse this access to revoke existing reward program credentials and temporarily disrupt airline rewards functionality.

Points.com’s Response and Responsiveness

The points.com security team has been highly responsive to the vulnerability reports from the researchers. They have successfully addressed each issue within approximately one hour of disclosure. This prompt action demonstrates the commitment of the points.com security team to protect their customers’ data and minimize the potential impact of these vulnerabilities.

Editorial

The discovery of multiple vulnerabilities in points.com’s platform raises concerns about the security of popular airline and hotel rewards programs. These incidents highlight the importance of rigorous security testing and continuous monitoring for any platform handling sensitive user information. With the increasing reliance on digital platforms, it becomes crucial for companies to prioritize cybersecurity investments and adopt a proactive approach to mitigating vulnerabilities.

Advice for Users

While it is the responsibility of the platform provider to ensure the security of user data, users can take certain steps to protect themselves. Here are some recommendations:

1. Enable Two-Factor Authentication

Enable two-factor authentication whenever possible. This adds an extra layer of security and makes it harder for attackers to gain unauthorized access to your accounts.

2. Use Unique and Strong Passwords

Create unique and strong passwords for each online account. Using a password manager can help you generate and store complex passwords securely.

3. Monitor Your Accounts

Regularly monitor your rewards program accounts for any suspicious activity, such as unauthorized point transfers or changes in personal information. Report any suspicious activity to the platform provider immediately.

4. Stay Informed

Keep yourself updated on the latest cybersecurity news and vulnerabilities affecting popular platforms. Being aware of potential risks can help you take preventive measures and avoid falling victim to cyberattacks.

5. Be Cautious of Phishing Attempts

Be cautious of emails or messages asking for personal or account information. Double-check the authenticity of such requests before providing any sensitive information. Legitimate companies will never ask for your password or authentication details via email.

In conclusion, the vulnerabilities discovered in points.com highlight the ongoing challenges in securing digital platforms that handle sensitive user data. The swift response from the points.com security team and their dedication to resolving these issues demonstrate the importance of proactive security measures. Users also need to take steps to protect themselves and their accounts by implementing best practices in password hygiene and account monitoring.