United Airlines accounts open to mass lock-outs
Web pests can inundate carrier'call centre
A simple brute-force attack is all that's needed to lock users out of their frequent flyer accounts.
However, in spite fof the discovery, by Turrisio Cybersecurity security officer Yosi Dahan, being disclosed under the airline's bug bounty in March, the researcher is complaining that United isn't responding to him.
Dahan says the airline has not responded to his disclosure under its bug bounty launched March.
The Israeli hacker told El Reg someone could force scores of United Airline customers to call the airline's call centres by enumerating MileagePlus account numbers and launch brute-force password guessing.
"An attacker can generate a targeted attack against UA in which he will be able to lock all the accounts related to the MileagePlus program by generating a user ID and random pin codes combined of four numbers, or some random passwords," Dahan says.
"In order to unlock and reset the password of the locked account, a user would have to call the support center.
"With a simple script, an attacker can generate any account ID in the form of AA000000, for example: AA000001, AA000002 until he reaches ZZ999999."
Dahan says accounts are locked after four incorrect attempts and can only be unlocked after a phone call to an airline operator.
United Airlines has been contacted for comment.
The account enumeration flaw is common and can expose sensitive customer information until identification numbers are scrambled such that it cannot be guessed.
Dahan says the MileagePlus system will inform when user identification numbers are incorrect as distinct from erroneous passwords. This allows a script to more efficiently target only active accounts with a flood of bogus passwords.
The airline launched its bug bounty program in March offering flyer points rather than the traditional cash or tee-shirt payment.
Rewards are payable on a sliding scale. Find a cross-site scripting flaw and the airline will dole out 50,000 air miles. A more serious authentication bypass flaw or a method for carrying out a denial-of-service attack could earn you 250,000 miles.
The top prize of a million-miles is awarded for remote code execution bugs. ®
Bootnote: An earlier version of this story incorrectly identified research Yosi Dahan as working for WorldMate. He has since left to establish Turrisio Cybersecurity. ®