My United Airlines Website Hack Gets Snubbed

← Back to Stories (view on slashdot.org)

My United Airlines Website Hack Gets Snubbed

Posted by timothy on Friday June 26, 2015 @04:55AM from the no-seat-back-recline-for-you! dept.

Bennett Haselton writes: United Airlines announced that they will offer up to 1 million air miles to users who can find security holes in their website. I demonstrated a way to brute-force a user's 4-digit PIN number and submitted it to them for review, emailing their Bugs Bounty contact address on three occasions, but I never heard back from them. Read on for the rest. If you've had a different experience with the program, please chime in below.

United Airlines announced the program in May (also specifying rules which specifically prohibited hacking in-flight systems, but which included "[t]he ability to brute-force reservations, MileagePlus numbers, PINs or passwords".) I poked around on their website and discovered that on their "Forgot your MileagePlus number?" page, you can request a reset of your password by submitting your first and last name, AND any ONE of the following:

your e-mail address
your street address
your phone number
your PIN
your password
your "old MileagePlus number"

And after submitting your information, the page will tell you whether your information matched an existing MilagePlus customer record.

This means that if you know a user's first and last name, you can guess their PIN, and the MileagePlus site will tell you whether you got it right or not. If the site doesn't limit your number of guesses, you can write a script that iterates through all 10,000 possibilities for the PIN until it finds the right one.

I wrote a script that did exactly that, and brute-forced my own account's PIN in a few hours (submitting one guess at a time, and running at 2 a.m. so as not to impact any other users). This means that United's website is not limiting the number of guesses per IP address, or showing a CAPTCHA after some number of failed attempts, or limiting the number of guesses per hour on a particular account, or any other countermeasures that you might expect. (The Bugs Bounty Program rules state, "[W]e do not allow execution of brute-force attacks on other users," which I interpreted to mean that brute-forcing your own account ought to be fine.)

So, United, if you're reading this, the immediate fix should be to disable the "PIN" option on the "Forgot your MileagePlus Number?" page. Keep the option to retrieve your account number by submitting your password, since even weak passwords are far harder to guess than 4-digit PIN numbers. But get rid of the PIN option.

I mentioned other possible countermeasures, including limiting requests per IP address and showing a CAPTCHA, but I actually don't think either of these would be effective. If you limit requests per IP address, any serious adversary will have a botnet of machines that they can use to submit requests from different addresses. If you make the user type in a CAPTCHA to submit a request, an attacker can hire workers online to read and type in the CAPTCHAs for a penny apiece. If you limit the number of reset attempts per hour on a particular account, that will slow down the attacker's attempts to brute-force the PIN for a particular account. However, if the attacker has a database of 1000 customer names and wants to find PINs for all of them, on Day 1 they could try 10 PINs for customer 1, then 10 PINs for customer 2, and so on up to customer 1000, and then on Day 2 they could try the next set of 10 PINs on customer 1, customer 2, etc. The attacker can't find any particular customer's PIN quickly, but they will be able to recover all of the customers' PINs slowly -- even though they never did more than 10 PIN authentication attempts on any particular account in the same day. Without a safe countermeasure, then, simply getting rid of PIN authentication would be the best fix.

It's because of attacks like this that I would argue that 4-digit PINs should never be used by themselves for authentication, if there's any possibility of a brute-force attack. They should only ever be used (a) for authentication in conjunction with something else, like a password (for example, if you're already logged in to a financial services account, you could require an additional 4-digit PIN to transfer money to another user); or (b) in a scenario where a brute-force attack is infeasible (for example, if you call tech support and a live human operator asks you to authenticate yourself with a 4-digit PIN).

The same attack is probably possible on the MileagePlus login page, since you can log in using your 4-digit PIN as an alternative to your password. However, this is less of a glaring security hole, because to brute-force a someone's PIN number on that page, you would have to at least know their MileagePlus number. The "Forgot Your MileagePlus Number?" page, on the other hand, allows you to brute-force someone's PIN number when all you know is their name.

As is often the case with stolen PINs and passwords, the most harmful effect here would probably not be the compromising of the user's MileagePlus account. The biggest problem is that most users use the same PINs and passwords for multiple accounts, and the attacker now has the 4-digit PIN that the user probably uses for their voicemail password, their ATM card, their burglar alarm, and who knows what else.

I first sent sent two emails about this to United's bug bounty email address reporting the issue on May 23, a few hours apart, and then followed up on June 1 asking if anyone had seen the first messages. I still have not receive a response.

So why didn't United reply? Have they just been receiving too many submissions by email? About 18 months ago I wrote about a researcher who emailed a security hole to Google and never heard back from them, even after they fixed the issue (although Google apologized and paid him his reward after the article ran). I suggested that if email submissions sometimes get back-logged, it would be a more effective approach to have email submissions reviewed by a lower-paid, less-experienced team of interns than by senior security researchers. The principle is that while it takes experience to find and fix security holes, it only takes some simple logical reasoning skills to evaluate whether a particular discovery constitutes a security hole, so the work can be farmed out to interns who want to gain work experience. By having each submission reviewed by, say, 3 randomly chosen interns from your pool of evaluators, you can churn through the submissions faster and reduce the chances of a legitimate bug falling through the cracks.

I'm sure some of the submissions are crap, and it's not United's fault if they initially got behind because they got more mails than they expected. But as soon as they realized they were getting swamped, they should have put more people on it -- even if those extra people were IT interns with just enough computer experience to read a bug description and tell if it was legit.

And one of the interns could also proofread the submission guidelines. Currently, under "things we will pay 250,000 miles for", the program page lists: "Brute-force attacks." Under "things that will result in criminal prosecution," the same page lists: "Brute-force attacks." If United keeps both promises, I hope my air miles don't expire before I get out of jail.

187 comments

Min score:

Reason:

Sort:

No More Bennett by aardvarkjoe · 2015-06-26 04:57 · Score: 5, Interesting

I was surprised to find this show up on the Slashdot front page, and then realized that since the last time we had a Bennett post, I had switched computers, and so my user script to block them was no longer installed. Since I'd already seen it, though, I figured I'd post a link to the script again: https://gist.github.com/anonymous/3235db049b18699c082b#file-gistfile1-txt.
This article isn't as stupid as Bennett's normal tripe; at least he seems to have identified a real issue here, although Slashdot is still allowing him to use their website as his personal blog. One amusing thing, though: he's complaining that United isn't responding to his emails about the hole. I've asked Slashdot repeatedly (through both e-mail and comment threads) to make it possible for us to block Bennett posts, or at least to comment on why they won't. The Slashdot staff have, so far, completely ignored me. They have apparently been too busy adding "share to TwitBook" buttons to the stories.

--

How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
1. Re:No More Bennett by Anonymous Coward · 2015-06-26 05:20 · Score: 2, Insightful
  
  I think this is the first time I've seen an article title in first person, as well. It's not enough that Bennett uses /. as his personal blog, but now he's even talking about himself on it.
2. Re:No More Bennett by Anonymous Coward · 2015-06-26 06:15 · Score: 0
  
  First world problems.
3. Re:No More Bennett by AntiSol · 2015-06-26 06:15 · Score: 1
  
  Thanks for your script. I modified it to also block posts from StartsWithABang just in case he comes back
4. Re:No More Bennett by Anonymous Coward · 2015-06-26 06:16 · Score: 0
  
  It's Dice Friday! Time to bait all the misgyonerd slashdot neckbeards with substandard tripe, idendity insults, and political controversies. Yay for the 21st century geek-o-sphere!
5. Re:No More Bennett by kaiser423 · 2015-06-26 06:31 · Score: 3, Insightful
  
  Exactly. This is pretty tripe. He admits up front that the bug bounty program says "No brute forcing of other users account" and then assumes that brute forcing is ok. There's also the possibility that they meant that brute forcing in general is not ok, so just tossed his submission when it arrived because it was a brute force attack. My guess is that they already knew it could be brute forced and were looking for other potential security issues to find and implement as a group before they push the next update -- that they were actually looking for a little more in depth security issues than that.
  
  I have to say that I'm not honestly surprised that Bennett didn't think of that conclusion, because it would require more than a strict literal interpretation of something and navel gazing, which really are his two specialties.
6. Re:No More Bennett by Anonymous Coward · 2015-06-26 06:32 · Score: 0
  
  Don't forget Nervells Lobster.
7. Re:No More Bennett by omems · 2015-06-26 06:53 · Score: 1
  
  Sweet. Where/how does one run that script?
  Is it for adblock?
8. Re:No More Bennett by bmxeroh · 2015-06-26 06:55 · Score: 3, Interesting
  
  (Note: While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.).
  
  The program details specifically say that. He's an idiot, but we all knew that.
  
  --
  Central Ohio Home Theater Installation - The Theater People
9. Re:No More Bennett by ItsJustAPseudonym · 2015-06-26 06:59 · Score: 1
  
  I figured I'd post a link to the script again
  Nice and clean. Thanks.
10. Re:No More Bennett by aardvarkjoe · 2015-06-26 07:17 · Score: 1
  
  In chromium/chrome, you can save the file as "nobennett.user.js" and drag it from your file manager onto the chrome://extensions page; chrome will then give you a popup to ask you to confirm.
  In firefox, you can install it using the Greasemonkey plugin.
  There might be other options for other browsers; this was the first/only user script I've ever written, so I don't know all the tricks.
  
  --
  
  How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
11. Re:No More Bennett by occasional_dabbler · 2015-06-26 07:52 · Score: 1
  
  Regardless of whether or not the 'Frequent Contributor' writes anything worth reading (he doesn't; water bottle delivery at a hippy festival ffs?) when /. posts anything written by the venerable Bennett they know two things:
  1. Massive clickbait to sell to advertisers.
  2. Not a single positive comment from their contributors.
  It's a sad situation that I come to this site to read the insights of fellow slashdotters, from whom I have learned a great deal, when my visit is earning money for a set of cynical pondlife amoeba like Dice. I guess I'm going to spend more time on stack from now on.
  
  --
  "Our opponent is an alien starship packed with atomic bombs," I said. "we have a protractor"
12. Re:No More Bennett by Anonymous Coward · 2015-06-26 08:03 · Score: 0
  
  What the fuck is it with Americans having surnames as first names, is there some sort of traditional given name shortage over there? Bennett is probably the most retarded sounding one I've heard so far.
13. Re:No More Bennett by RyoShin · 2015-06-26 08:58 · Score: 1
  
  I actually thought we were done with him. I was actively checking the names of posts in my RSS feed I thought sounded stupid and didn't see him on any, despite having no script for blocking. Damn.
14. Re:No More Bennett by Anonymous Coward · 2015-06-26 09:22 · Score: 0
  
  I don't know, I think I agree with his reading. Let's break this down.
  
  (Note: While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.).
  They say they accept bug reports on the ability to conduct brute-force attacks very first thing. They do not allow people to execute them (that's the second part). It has language saying "on other users" in their statement about not allowing people to execute brute force attacks, so that would mean don't execute them on other users. Other users excludes your user from the request of not brute forcing. Then to close the loop, it says that if you have found a method to conduct a brute-force or code injection attack, report it without testing it, which does conflict a little with the loophole they created by saying "other users".
  They pretty explicitly want to know about brute force attacks, it's right there in the statement.
15. Re:No More Bennett by rvw14 · 2015-06-26 09:33 · Score: 1
  
  The key factor is "other users". It is unclear if brute force attacks on your own account also fall under this ban.
16. Re:No More Bennett by idontgno · 2015-06-26 09:53 · Score: 2
  
  Brute forcing your own account isn't banned. But it's not rewarded, either. That's what the "If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it." bit of the rules means.
  In other words, no, Bennett, you did not outsmart those meanies in charge of making the rules of this bug bounty system. Your hack wasn't particularly clever, so doesn't get rewarded as if it were. However, the bug report itself is probably valid, and United obviously has some fixing to do. (No failed-PIN limiter? The 1970s called; they'd like their input validation methodology back.)
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
17. Re:No More Bennett by ShaunC · 2015-06-26 10:09 · Score: 1
  
  Don't forget Roland Piquepaille ;)
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
18. Re:No More Bennett by Culture20 · 2015-06-26 11:06 · Score: 1
  
  Some Americans use their mother's maiden name as a middle name. Then sometimes that gets passed on to a Jr. or "the III". By then, everyone thinks it's just a regular surname, so they use it as such.
19. Re:No More Bennett by Anonymous Coward · 2015-06-26 11:06 · Score: 0
  
  not sure who this bennett guy is etc. but you asking them to block him is dumb and does look like censorship dont you think?
  I dont spend too much time here, maybe you do if bennett is a problem? See the irony?
20. Re:No More Bennett by Anonymous Coward · 2015-06-26 12:25 · Score: 2, Informative
  
  Don't forget Roland Piquepaille ;)
  You might need something more powerful than a script if he comes back.
21. Re:No More Bennett by Anonymous Coward · 2015-06-26 13:56 · Score: 0
  
  Thanks for the userscript link, this post gave me cancer.
22. Re:No More Bennett by Hognoxious · 2015-06-26 17:16 · Score: 1
  
  By then, everyone thinks it's just a regular surname
  
  That word does not mean what you think it does.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
23. Re:No More Bennett by Anonymous Coward · 2015-06-26 17:17 · Score: 0
  
  One amusing thing, though: he's complaining that United isn't responding to his emails about the hole. I've asked Slashdot repeatedly (through both e-mail and comment threads) to make it possible for us to block Bennett posts
  So, apparently United's blocking capabilities are being more successful than Slashdot's?
24. Re:No More Bennett by KGIII · 2015-06-26 18:11 · Score: 1
  
  I did not test it but it should work for Tampermonkey which is available, as a fork of Greasemonkey - the scripts are interchangeable, for both Opera and Chrome.
  
  --
  "So long and thanks for all the fish."
No brute-forcing murky... or clear? by JJJJust · 2015-06-26 04:58 · Score: 4, Informative

The website explains the brute-forcing thing in a roundabout way... but it does note (emphasis added):

While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.
1. Re:No brute-forcing murky... or clear? by zlives · 2015-06-26 05:08 · Score: 0, Redundant
  
  "we do not allow execution of brute-force attacks on other users"
  he did it to his own account
2. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 05:12 · Score: 0
  
  At which point they will say, "no, not a bug. no reward. If you had tried this, you would have found it not to work"
3. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 05:17 · Score: 3, Informative
  
  Under "DO NOT ATTEMPT" it Clearly states that Brute Force Attacks are not allowed. That's about as clear as they can make it. It's the TOP ITEM under "Don't do this or we will disqualify you and possibly start a criminal investigation"
  Do not attempt:
  Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
  Brute-force attacks
4. Re:No brute-forcing murky... or clear? by Orphis · 2015-06-26 05:42 · Score: 2
  
  This isn't a BRUTE force attack. This is just a force attack.
  If a server has an issue with 10k requests at night when nobody is using it over a few hours, then they have much bigger problems!
5. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 05:48 · Score: 0
  
  How do you find a brute force vulnerability without testing it? How do you know that the system is not hardened to lock an account or attempt after X number of fails in Y amount of time?
6. Re:No brute-forcing murky... or clear? by bws111 · 2015-06-26 05:48 · Score: 2
  
  Brute force has absolutely nothing to do with what the server can handle, it just means trying every possibility.
7. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 06:02 · Score: 0
  
  Sorry but it's not very clear. A slow-rate brute-force attack is not an action that "could negatively impact the experience on our websites, apps or online portals for other United customers", so a reasonable interpretation is that they're only against high-rate brute-force attacks.
8. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 06:06 · Score: 0
  
  https://en.wikipedia.org/wiki/Brute-force_attack
  Particularly:
  In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data[1] [...] It consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space.
9. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 06:14 · Score: 0
  
  No. Anyone with at least two-functioning brain cells gets the meaning.
10. Re:No brute-forcing murky... or clear? by Lunix+Nutcase · 2015-06-26 06:15 · Score: 1
  
  You report it to them and they test it.
11. Re:No brute-forcing murky... or clear? by Orphis · 2015-06-26 06:40 · Score: 0
  
  Semantics. There's no brutality in this attack, hence the name brute force shouldn't be applied. He isn't pushing the system to the limits while going through all the possible values, which is what happens in traditional brute force attacks.
  The ban on that type of attack is to prevent the researchers to overload the servers. This can't put any noticeable load on the server at all.
12. Re:No brute-forcing murky... or clear? by Obfuscant · 2015-06-26 06:53 · Score: 1
  
  If a server has an issue with 10k requests at night when nobody is using it over a few hours, then they have much bigger problems!
  It is daytime somewhere on the planet all the time, United flies internationally, and there are good reasons why someone even in the US would use the United web system when it is their local nighttime. Your excuse that it was "at night when nobody is using it" is ridiculous. People use it all the time. The interwebs are international in scope, dude.
  "At night" doesn't mean it wasn't brute force. Brute force, as another has already pointed out, means "trying all combinations", not "there's only 10,000".
  And "brute force" is not a hack, it's script kiddy material. Do think I should get a million miles just for telling United that hey, I can attach every unattached itinerary to my frequent flier account by brute forcing the record identifier? It's only six characters, so 36 to the sixth power possible values. I can be a multiple-1K with a billion award miles in no time at all!
13. Re:No brute-forcing murky... or clear? by Obfuscant · 2015-06-26 06:58 · Score: 1
  
  There's no brutality in this attack,
  
  Oh for Christ's sake. That's not what "brute" in "brute force attack" means. You are an idiot.
  
  He isn't pushing the system to the limits while going through all the possible values, which is what happens in traditional brute force attacks.
  Brute force attacks don't require pushing the system to its limits. Brute force attack means using a blunt object (all possible combinations) instead of a finer method (SQL injection, etc) to gain access.
  
  The ban on that type of attack is to prevent the researchers to overload the servers.
  
  No it isn't. The ban on getting credit for reporting that type of hack is because it isn't a hack. It is simply using all possible combinations of access credentials until access is granted. It isn't finding a bug.
14. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 06:59 · Score: 0
  
  Ok so as a rebuttal to the rule "we do not allow execution of brute-force attacks on other users", you found another rule which says "do not attempt brute-force attacks" without "on other users". What you've got is a proof by omission, and that's weak. It's much more likely that someone forgot to add "on other users" to the part you quoted, than someone adding the words "on other users" by mistake to the part zlives quoted.
15. Re:No brute-forcing murky... or clear? by RavenLrD20k · 2015-06-26 07:15 · Score: 3, Insightful
  
  I have an idea. How about you learn something before you talk out of your ass? Brute force has never, in the entire lifetime of the phrase, meant that you were pegging a server while you are trying every possibility for the password on an account. Hell, if I send a username and next-in-series password at a rate of one every 20 minutes, that's still classified as a brute force attack, and unless the server is really anemic, there's no chance in Hell that the server is going down. If I'm doing that same type of attack at a rate of 200 attempts per second, or even 2000 attempts per second, that's still not going to blip much on the server's CPU unless it's already bogged with another process, and those are STILL classed as brute force.
  The type of attack you're looking for is Distributed Denial of Service, which isn't generally for breaking into accounts but taking the server down with an overwhelming number of requests or pings that the server doesn't have the resources to be able to respond to any further requests.
16. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 07:23 · Score: 0
  
  "Brute force" is a well introduced technical term. I don't know what a "force attack" is, other than a punk rock festival in East Germany.
17. Re:No brute-forcing murky... or clear? by grahamsz · 2015-06-26 07:24 · Score: 2
  
  You could easily refine this based on the logic that users are horribly bad at choosing passwords and pins
  http://www.datagenetics.com/bl...
  You only need to try 426 codes to hit 50% of all pin codes (in that analysis)
18. Re:No brute-forcing murky... or clear? by omnichad · 2015-06-26 07:49 · Score: 1
  
  You can still mitigate brute-forcing by putting a waiting period between attempts. And a PIN with only 10,000 combinations absolutely needs protection. So if they left it unprotected, they should fix it.
19. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 08:45 · Score: 0
  
  +1
  'brute' in this sense means 'unreasoning', ie there's no sophisticated approach you're using to break in, you're being dumb and simply trying every possible value
  
  He isn't pushing the system to the limits while going through all the possible values, which is what happens in traditional brute force attacks.
  Brute force attacks don't require pushing the system to its limits. Brute force attack means using a blunt object (all possible combinations) instead of a finer method (SQL injection, etc) to gain access.
  Exactly. Just because it goes right to the limits if you try to do it in the fastest possible way doesn't mean you have to be fast. When it's a remote server it's a good idea not to be or you'll be noticed and blocked very quickly. Pushing it to the limit is generally only something that'll happen when you're trying to break an encrypted value locally (eg a password hash taken from a database).
20. Re:No brute-forcing murky... or clear? by bennetthaselton · 2015-06-26 09:55 · Score: 1
  
  As I pointed out in the article, "Bruce-force attacks" is also listed under things that they will pay out up to 250,000 air miles for: http://peacefire.org/united-bo...
21. Re:No brute-forcing murky... or clear? by bennetthaselton · 2015-06-26 10:03 · Score: 1
  
  Well of course you're right, it's not sophisticated. But I think the importance of finding and fixing a given hack should be based on the damage that it can do, not how sophisticated it is. Being able to get an arbitrary user's 4-digit PIN, is bad.
22. Re:No brute-forcing murky... or clear? by Nemyst · 2015-06-26 10:03 · Score: 1
  
  Note that it does say "other users", so technically you could quite easily run the test against yourself.
23. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 14:52 · Score: 0
  
  Please don't use the phrase "pegging a server" it put bad visuals in my mind.
24. Re:No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-26 17:36 · Score: 0
  
  I have enough experience with webservers to tell you: 2000 attempts per second would indeed cause a blip. A big fat one.
25. Re: No brute-forcing murky... or clear? by Anonymous Coward · 2015-06-27 13:15 · Score: 0
  
  "The ban on getting credit for reporting that type of hack is because it isn't a hack. It is simply using all possible combinations of access credentials until access is granted. It isn't finding a bug."
  Not rate limiting is a serious oversight, and is worth reporting. It's a security hole. You shouldn't ever be able to brute force a web page form in a reasonable amount of time.
Bug Bounties . . . by OverlordQ · 2015-06-26 04:58 · Score: 1

. . . are usually crap.

--
Your hair look like poop, Bob! - Wanker.
"My" by Anonymous Coward · 2015-06-26 04:58 · Score: 5, Insightful

If the title of your post starts with "my", and it isn't on Ask Slashdot, you are a douche.
1. Re:"My" by Anonymous Coward · 2015-06-26 05:48 · Score: 0
  
  TILSIAK (Today I Learned Something I Already Knew):Bennett Haselton is a douche.
2. Re:"My" by The+Grim+Reefer · 2015-06-26 05:53 · Score: 1
  
  TILSIAK (Today I Learned Something I Already Knew):Bennett Haselton is a douche.
  You must be new here.
If you think you're in the right... by DoofusOfDeath · 2015-06-26 04:59 · Score: 1

sue them.
1. Re:If you think you're in the right... by bobbied · 2015-06-26 05:20 · Score: 1
  
  For frequent flyer miles? Yea, that's going to pay off.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
So what? by Anonymous Coward · 2015-06-26 05:01 · Score: 0

You discovered that a person has an account? Are you able to do anything with it after a brute force or does it just send a reset password link to their email? You need to clarify.
1. Re: So what? by Anonymous Coward · 2015-06-26 05:17 · Score: 0
  
  And he obviously doesn't know what that email address is or he would have entered it instead of guessing the PIN.
Um... Did you actually read the program? by Anonymous Coward · 2015-06-26 05:05 · Score: 5, Informative

Bugs that are eligible for submission:
The ability to brute-force reservations, MileagePlus numbers, PINs or passwords (Note: While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.)
Do not attempt:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
Brute-force attacks
So... It looks like you didn't follow the rules & tested a brute force attack. That straight away says that they will most likely ( and with valid reasoning ) disqualify you from the program. Since you used your account only, they will likely not prosecute. You still broke the rules and will probably not get anything except kicked out.
1. Re:Um... Did you actually read the program? by CronoCloud · 2015-06-26 05:12 · Score: 3, Insightful
  
  Yeah, he interpreted it as forbidding brute-force testing against other users, but allowing brute-force against one's own account when it's clear that it actually means "don't test brute-force attacks at all"
  Frequent Contributor Bennet Haselton is coming across as a bit "Autistic spectrum-y" in this story.
2. Re:Um... Did you actually read the program? by Ichijo · 2015-06-26 05:53 · Score: 3, Insightful
  
  Serious question: how could someone determine that PINs can be brute-forced without brute forcing them? Without the ability to prove it, it's the bounty hunter's word against the website, and we already know websites will do anything they can to avoid paying.
  
  --
  Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
3. Re:Um... Did you actually read the program? by Anonymous Coward · 2015-06-26 06:00 · Score: 0
  
  run a short test case, not the entire PIN space
  Okay, so beyond the sophomoric questions ...
4. Re:Um... Did you actually read the program? by Yebyen · 2015-06-26 06:13 · Score: 1
  
  >> (Note: While we accept bug reports on the ability to conduct brute-force attacks...
  > when it's clear that it actually means "don't test brute-force attacks at all"
  I hate Bennet Haselton as much as the next man, but you are actually wrong according to GP's quote from the rules.
  
  --
  Restating the obvious since nineteen aught five.
5. Re:Um... Did you actually read the program? by Ichijo · 2015-06-26 06:13 · Score: 1
  
  run a short test case
  
  Sorry, that would be brute-forcing. Try again.
  
  --
  Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
6. Re:Um... Did you actually read the program? by Anonymous Coward · 2015-06-26 06:36 · Score: 0
  
  No, that would simply be testing if they have any basic counter-measure like banning you for some time if you try more than x times in x minutes, or asking you for a CAPTCHA after x failures, etc. (both of these per IP and tried account), as was said in the article...
  Their rule is about avoiding performance impacts on their websites. Testing 5-10 times to see if a counter-measure is triggered has zero impact on their performances.
  Testing 10k times, at 2am, "over a few hours" (that is around one request per second, if it took three hours), on the website of a large company, also should have zero impact on their performances (this probably should have triggered some basic anti-(D)DoS counter-measure too, though, considering the pattern...), although this type of 'special' request may be much less optimized...
  That being said, it would not be abnormal for them to refuse him the reward, as a principle/example, considering the risk it may still affect performances in some way, including if there was a bug in his own script...
  They should have replied to him though, and his report seems definitely valid otherwise.
7. Re:Um... Did you actually read the program? by Obfuscant · 2015-06-26 07:08 · Score: 1
  
  I hate Bennet Haselton as much as the next man, but you are actually wrong according to GP's quote from the rules.
  He is actually right, according to GPs quote from the rules.
  
  Do not attempt: ... Brute-force attacks.
  He attempted a brute-force attack. From the fine summary:
  
  If the site doesn't limit your number of guesses, you can write a script that iterates through all 10,000 possibilities for the PIN until it finds the right one. I wrote a script that did exactly that, ..."
  So our fine author admitted he did what the rules prohibited. The rules appear quite clear: they will accept reports of how a brute-force attack could be done but prohibit them from being attempted.
  Also, do you not imagine that someone might have already reported this "bug" (which it isn't really, it is a deliberately programmed convenience for the UAL customers)? So why should Bennett walk in and get a prize for reporting an obvious and previously reported issue that is a design decision in the first place? Why should United waste their time replying to a douche who duplicated a previous report and admitted that he broke the rules by running a brute force attack against their website?
  Whatever else BH is, his blogging is a waste of time and electrons.
8. Re:Um... Did you actually read the program? by Anonymous Coward · 2015-06-26 07:18 · Score: 0
  
  Typical arrogant Bennett....
9. Re:Um... Did you actually read the program? by towermac · 2015-06-26 08:37 · Score: 1
  
  So really, they are doing him a favor by ignoring him.
  If they acknowledge it, they have to kill his account and possibly report him to the authorities.
10. Re:Um... Did you actually read the program? by Anonymous Coward · 2015-06-26 09:06 · Score: 0
  
  How did he make sure United Airlines has only one customer with that name?
11. Re:Um... Did you actually read the program? by Anonymous Coward · 2015-06-26 09:32 · Score: 0
  
  Why on Earth aren't you allowed to test brute force attacks against your own account?
12. Re:Um... Did you actually read the program? by im_thatoneguy · 2015-06-26 09:44 · Score: 1
  
  Try 10 times and assume that there isn't a cap after that. Much easier on the servers than 9999 password reset attempts.
  This is a huge security vulnerability and they should patch it. But he also blatantly broke the rules.
13. Re:Um... Did you actually read the program? by Obfuscant · 2015-06-26 09:53 · Score: 1
  
  Why on Earth aren't you allowed to test brute force attacks against your own account?
  Because it isn't your computer and the people who own the computer say you aren't allowed to. Because, while THIS brute force attack may have -- we assume -- little effect on the servers being attacked, other brute force attacks may not be as benign. Because you may not be as good a programmer as you think you are and your "benign" brute force attack may turn out to be quite disruptive. But the main reason is given in the topic sentence of this paragraph.
14. Re:Um... Did you actually read the program? by bennetthaselton · 2015-06-26 10:06 · Score: 2
  
  Yeah, he interpreted it as forbidding brute-force testing against other users
  That's right, since it said "we do not allow execution of brute-force attacks on other users"
15. Re:Um... Did you actually read the program? by Ichijo · 2015-06-26 10:43 · Score: 1
  
  Try 10 times and assume that there isn't a cap after that... But he also blatantly broke the rules.
  
  Please provide pseudocode that determines whether he used brute-force. Be sure to fully justify, with citations where possible, any violation of the zero-one-infinity rule in your answer. For example, why 10 attempts? Why not 9, or 11?
  If you can do this, then your claim that he "blatantly" broke the rules might be valid. Good luck!
  
  --
  Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
16. Re:Um... Did you actually read the program? by Bite+The+Pillow · 2015-06-26 11:53 · Score: 1
  
  You seem to have accidentally hit the "coming across as a bit " key on your keyboard, the "-y" key, and the " in this story" key.
  Your keyboard looks mighty strange from over here.
17. Re:Um... Did you actually read the program? by Anonymous Coward · 2015-06-26 16:34 · Score: 0
  
  Bugs that are eligible for submission:
  The ability to brute-force reservations, MileagePlus numbers, PINs or passwords...
  we do not allow execution of brute-force attacks on other users
  (OTHER USERS. You can brute-force your own account)
  Do not attempt: ... any actions that could negatively impact the experience on our websites, apps or online portals for other United customers
  (OTHER UNITED COSTUMERS. You can negatively impact your own experience on their website, blah, blah blah...)
  They're clearing saying that you CAN'T exploit those bugs or methods against OTHER USERS, yet they didn't rule off targeting YOURSELF.
18. Re:Um... Did you actually read the program? by AmiMoJo · 2015-06-27 00:41 · Score: 1
  
  You have to give them the benefit if the doubt. If they refuse to pay up you go public with your complaint and maybe threaten legal action. In the UK you can use the small claims system that only costs about $50, no lawyer needed.
  And next time you sell the vulnerably on the open market, as does everyone else who read your warning.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I tried... by bogie · 2015-06-26 05:09 · Score: 5, Funny

But they said there was now a $50 service fee in order for me to submit my bug. They said something about how fuel prices had gone up and they had no choice but to start charging the fee.

--
If you wanna get rich, you know that payback is a bitch
1. Re:I tried... by Anonymous Coward · 2015-06-26 05:43 · Score: 0
  
  You know, you could have that fee waived if you let them cut your legs off the next time you fly coach/steerage...
2. Re:I tried... by megaronic · 2015-06-27 00:53 · Score: 1
  
  1. Hack into your own United Airlines account 2. Reset your PIN 3. Hack into own email and intercept PIN reset 4. Profit!
Send your complaints to by Anonymous Coward · 2015-06-26 05:12 · Score: 0

someone that cares.
Maybe your report was too long. by SeaFox · 2015-06-26 05:15 · Score: 5, Funny

If your bug submission was anything like your Slashdot submissions, their eyes glazed over after the first three paragraphs and they didn't even read the other eight pages where you actually explained the hack.
1. Re:Maybe your report was too long. by Anonymous Coward · 2015-06-26 05:34 · Score: 0
  
  It more likely that United Airline is smart enough to toss anything that starts with "Bennett Haselton writes:". Timmy should buy a clue.
2. Re:Maybe your report was too long. by stoned_ritual · 2015-06-26 07:02 · Score: 1
  
  I laughed, I cried, I drank some of that ol' janx spirit.
3. Re:Maybe your report was too long. by JayStraw · 2015-06-28 13:46 · Score: 0
  
  BH;DR
Is Haselton going to jail? by Anonymous Coward · 2015-06-26 05:16 · Score: 2, Insightful

http://www.united.com/web/en-US/content/contact/bugbounty.aspx#terms

Do not attempt:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation[!!1!]. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
Brute-force attacks
Code injection on live systems
Disruption or denial-of-service attacks
The compromise or testing of MileagePlus accounts that are not your own
Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact or Nessus)
Please, please, please, let it happen!
1. Re: Is Haselton going to jail? by Anonymous Coward · 2015-06-26 05:41 · Score: 0
  
  Please. Send him to jail. Or at least cut off his internet.
2. Re:Is Haselton going to jail? by Anonymous Coward · 2015-06-26 05:41 · Score: 0
  
  Well, if they take it as truth that he only did it to his account, probably not. Then again, he *is* distributing the source code he used to hack it... I believe that is illegal. If someone downloads it & uses it to gain access to other accounts, he could be held partially responsible.
  Then again, IANAL.
3. Re:Is Haselton going to jail? by Anonymous Coward · 2015-06-26 05:59 · Score: 0
  
  As someone upthread pointed out, if you found a brute-force attack vector United wants you to tell them about it WITHOUT actually testing it. It doesn't matter to United if you're testing it against your own account, they simply don't want brute force attacks being launched against their website live.
4. Re:Is Haselton going to jail? by taustin · 2015-06-26 06:51 · Score: 1
  
  The thing is, you can't find a brute force attack without testing it. And this one is so basic that it's mind boggling that even a clueless web designer let it slip though. This is one that can't be reasonably reported without testing it.
  Mind you, I'm as in favor ore Bennett Hassleton being sodomized by a mutant goat on Viagra as anybody, but United's position is, frankly, kinda silly.
5. Re:Is Haselton going to jail? by stoned_ritual · 2015-06-26 07:05 · Score: 1
  
  The thing is, you can't find a brute force attack without testing it.
  Yes you can. Are there captcha codes for instance? Can you make more than X (where x is a reasonable number) attempts to incorrectly log in? If no, then you have a brute force vector.
6. Re:Is Haselton going to jail? by Anonymous Coward · 2015-06-26 07:08 · Score: 0
  
  You bolded the wrong part of that rule. Let me fix that for you:
  
  Do not attempt:
  Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
  He went out of his way to avoid negatively impacting the experience on the website for other United customers by:
  1) doing his test during low-usage hours.
  2) testing against his own account.
7. Re:Is Haselton going to jail? by Obfuscant · 2015-06-26 07:29 · Score: 1
  
  The thing is, you can't find a brute force attack without testing it.
  Of course you can. A four digit PIN is, well, there's only 10,000 possible entries, and you can run through those in a relatively short time.
  
  And this one is so basic that it's mind boggling that even a clueless web designer let it slip though.
  
  Huh? You don't think that United might want to allow their paying customers to be able to recover access to their account in some automated way so they can buy more services from United? This is a design decision, not a simple web-designer screw-up.
  Yeah, they could disable an account and force the customer to call a phone number to get it re-enabled, like some websites do. Do you realize how expensive that would be for United to manage? An international company with customers in every time zone on the planet would have to add staff to handle the extra calls.
  Oh, oh, they could put a captcha on it. That would stop automated attacks, but with only 10000 possible entries the average number to test would be 5000, and if someone can get a dozen friends to help out and they take a minute for each try that's only 7 hours to break in. Who wouldn't pay good money to have control of Barack Obama's United frequent flier account?
  By the way, as a user of United's web system, I can tell you that they already do use captchas to prevent automated access. The captcha system they use is the remarkably unfriendly "select all the pictures that show X" system, and seeing the pictures on a 7" tablet is rather difficult at best. When they do it in a way that cannot be pinch-zoomed, it's stupid. And when they think that every sandwich is a "hamburger" (this morning's captcha) it's ridiculous.
  
  but United's position is, frankly, kinda silly.
  United's position is that they will accept reports of brute force attack methods but prohibit the actual testing of those methods on operational systems. That seems kinda reasonable. Their position is that they also don't pay out for a patently obvious brute-force "bug" that has certainly been reported more than once by more than one person. That also seems reasonable.
8. Re:Is Haselton going to jail? by RavenLrD20k · 2015-06-26 07:32 · Score: 1
  
  How you test for a brute-force vector without conducting a full brute force attack:
  Hey, United, I was able to try 10 user/PIN combinations within 30 seconds of each other and did not hit any timeout walls or seeming account blocks. I was also able to directly use my real account/PIN combination on the 11th attempt that I manually did 5 seconds later and was able to get full access to my account. You might want to take a look at this to make sure that on a proper brute-force scale you're not caught with your pants down.
9. Re:Is Haselton going to jail? by HornWumpus · 2015-06-26 07:35 · Score: 1
  
  Somebody needs to build a Bennett Hassleton goat sim level.
  Parent poster has suggested the first activity.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
10. Re:Is Haselton going to jail? by bennetthaselton · 2015-06-26 10:30 · Score: 1
  
  I'm not saying they should disable all automated methods to retrieve your account number, just the method that requires a PIN.
  
  Remember, I said that the "Forgot your account number?" page lets you retrieve your account number if you enter your name along with any ONE of the following:
  your e-mail address
  your street address
  your phone number
  your PIN
  your password
  your "old MileagePlus number"
  
  That means if you disable the ability to retrieve it using a PIN, the only people you're locking out are people who remember their PIN but have forgotten everything else on that list, i.e., almost nobody
11. Re:Is Haselton going to jail? by Obfuscant · 2015-06-26 12:04 · Score: 1
  
  I'm not saying they should disable all automated methods to retrieve your account number, just the method that requires a PIN.
  I thought you were saying that you were unhappy because they ignored your brute force attack and report of same and didn't hand you a million award miles.
  
  Remember, I said that the "Forgot your account number?" page lets you retrieve your account number if you enter your name along with any ONE of the following: your e-mail address
  So you're perfectly happy if someone can "hack" into a United account by knowing someone's name and email address, but not if they know the name and take up to 10000 guesses at the PIN.
  
  your "old MileagePlus number"
  And it's ok to brute force the old Mileage Plus numbers (six digits, IIRC), but not a four digit PIN.
12. Re:Is Haselton going to jail? by jrumney · 2015-06-26 14:13 · Score: 1
  
  To hack the account, they need both the account number and either the PIN or password. This allows them to brute force the PIN, and retrieve the account number as a byproduct of that. Knowing the email address or home address only gets you the account number.
13. Re:Is Haselton going to jail? by Obfuscant · 2015-06-26 14:55 · Score: 1
  
  To hack the account, they need both the account number and either the PIN or password. This allows them to brute force the PIN, and retrieve the account number as a byproduct of that.
  No, you don't get the account number that way. The "forgot account number" page uses the customer name and one of the listed items of information to identify your account. If it can identify your account it sends an EMAIL with the account number to the email address of record on that account.
  The horrendous failure is that they don't simply pretend to send an email if you get the PIN wrong, they report that they can't find the account. I've had a bank that pretended to send an email and it was VERY confusing. It kept telling me it was sending an email with my forgotten user ID but I never got anything. I had to go into the bank to find out I didn't have an email address listed on the account -- even though they kept saying they were sending email to me.
  
  Knowing the email address or home address only gets you the account number.
  No. It gets you nothing of value, unless you've already hacked into the target's email.
14. Re:Is Haselton going to jail? by bennetthaselton · 2015-06-26 15:52 · Score: 1
  
  No. Sorry for the confusion. To clarify:
  
  The "forgot your password" page only confirms that whatever information you have entered, is valid information for that user. So if you enter your target's name and email address, it will confirm that there is a user on file with that name and email address -- but if you already had your target's name and email address, you knew that already.
  
  However, the space of PINs is small enough that you can brute-force it, so when you try enough PINs, now you know that your target with that name, is using that PIN. You as the attacker can't actually retrieve the account number, because it will get sent to the email address they already have on file for that user. But now you have their PIN (which quite likely is the same 4-digit PIN they use on other services that require one).
15. Re:Is Haselton going to jail? by Hognoxious · 2015-06-26 17:36 · Score: 1
  
  Huh? You don't think that United might want to allow their paying customers to be able to recover access to their account in some automated way
  
  s/United/your bank/
  s/recover access to/withdraw money from/
  After n failures it should lock, impose a wait, use captchas or something. Design decision my arse.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
or you could do this... by roc97007 · 2015-06-26 05:20 · Score: 1

"Hi. You haven't acknowledged my findings yet. I think I have demonstrated that I've met the requirements of your "bounty". You can of course disagree, and that's fine. There are others who want to buy my work. Should I not hear back from you in the next 14 days, I will do business with them."

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
1. Re:or you could do this... by weilawei · 2015-06-26 05:45 · Score: 1
  
  While this shouldn't be on Slashdot (in this format, AKA personal blog post), Bennett's actions are better than trying to coerce them.
  Forbidden as per their terms:
  
  Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
2. Re:or you could do this... by idontgno · 2015-06-26 10:07 · Score: 1
  
  He can't sell that exploit. He's already given it away. Here.
  Please tell me about the other amazing business strategies you're contemplating. Your ideas are intriguing to me and I wish to subscribe to your newsletter.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
3. Re:or you could do this... by im_thatoneguy · 2015-06-26 10:13 · Score: 1
  
  Quick trip to a federal court for extortion.
Re:Nobody cares. by Eunuchswear · 2015-06-26 05:22 · Score: 1

I care more about who brute forcrs comment #50000000.

--
Watch this Heartland Institute video
Obvious by Anonymous Coward · 2015-06-26 05:24 · Score: 1

Had you read the rules, you might have noticed:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation: Brute-force attacks
1. Re:Obvious by bennetthaselton · 2015-06-26 10:13 · Score: 1
  
  Had you read the article, you might have noticed that (1) they say, "We do not allow execution of brute-force attacks on other users", which all sane English-speakers would interpret to mean they allow brute-forcing your own account, and (2) they also list "brute-force attacks" on the list of things they will pay 250,000 air miles for.
2. Re:Obvious by Anonymous Coward · 2015-06-26 12:18 · Score: 0
  
  Had you read the article, you might have noticed that (1) they say, "We do not allow execution of brute-force attacks on other users", which all sane English-speakers would interpret to mean they allow brute-forcing your own account, and (2) they also list "brute-force attacks" on the list of things they will pay 250,000 air miles for.
  I also notice this in the rules: "If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it."
  I think I may understand the confusion, if you're reading it as an inclusive-or statement, i.e.: "don't test your brute force attack on our system" OR "don't do brute on other users". So by your reading, as long as you don't do one of those things, you're good. The problem is, a list of restrictions is intended to be interpreted as AND'd together, as in: "don't steal" AND "don't kill", where if you fail either of those tests you're breaking the rules. Since you broke the first one by actually doing a full-on brute force attack instead of just telling them it was possible, you've broken the contest rules and been disqualified.
  - Walking the Walk -
DING DEENG DiNG DeeNG by Anonymous Coward · 2015-06-26 05:25 · Score: 0

Mod Parent Up.
I thought we were done with this crap... by dark.nebulae · 2015-06-26 05:26 · Score: 2

After not hearing from bennett for so long, I thought slashdot had finally come to it's senses and shit-canned that ass wipe. I guess I'm the ass wipe instead.
1. Re:I thought we were done with this crap... by Virtucon · 2015-06-26 05:48 · Score: 1
  
  pot meet kettle? Just saying..
  
  --
  Harrison's Postulate - "For every action there is an equal and opposite criticism"
Write a song about it. by codeButcher · 2015-06-26 05:26 · Score: 1

Since Mr Hennet Baselton is a blogger, maybe he should write a post about it. Perhaps it will go viral just like this musician's songs about United breaking guitars. Not.
Jokes aside, I have some friends that are travel agents, and they all seem to shy away from letting their clients fly United.

--
Free, as in your money being freed from the confines of your account.
Typical Bennett noise by Anonymous Coward · 2015-06-26 05:27 · Score: 1

No surprises to be found; Bennett chooses a literal interpretation of something to further his own agenda, and disregards the rule saying "If you find a brute force attack, do not attempt it, it is immediate disqualification."
I wish Bennett was as smart as he thinks he is and found something noteworthy enough to be sued for exploiting, but the only hack here is him.
Not you again! by Anonymous Coward · 2015-06-26 05:30 · Score: 0

I tought we got rid of your stupid rants, fuck off Bennet!
So hey bennet by Tyrannosaur · 2015-06-26 05:31 · Score: 0

To be completely honest I enjoy having an occasional Bennett Haselton submission. (And a quick search through slashdot, they are occasional). I learn a little thing and I think a moderate amount. Which is exactly what I come to slashdot for. If you do ever quit submitting to slashdot I may actually look to see if you have a blog.
I always hate when companies have such glaring security flaws and refuse to do anything about it. They deserve what comes to them I guess...
1. Re:So hey bennet by Anonymous Coward · 2015-06-26 07:16 · Score: 0
  
  Hi Bennet,
  I see you learned how to "hack" a new account name.
Get around the brute force ban by Tyrannosaur · 2015-06-26 05:34 · Score: 1

[shrugs] you could just resubmit it and show the possibility for a brute force without actually admitting that you broke the rules in testing the possibility...
1. Re:Get around the brute force ban by ceoyoyo · 2015-06-26 05:58 · Score: 1
  
  Not any more. Five thousand slashdotters just did that.
Up to 1 million air miles* by NotDrWho · 2015-06-26 05:37 · Score: 3, Funny

* Meaning 0 - 1 million air miles

--
SJW's don't eliminate discrimination. They just expropriate it for themselves.
1. Re:Up to 1 million air miles* by Virtucon · 2015-06-26 05:48 · Score: 1
  
  0..* FTFY
  
  --
  Harrison's Postulate - "For every action there is an equal and opposite criticism"
Additional context for non-frequent flyers by drew870mitchell · 2015-06-26 05:38 · Score: 1

Something you may not realize if you're not a frequent flyer is that FF miles cost the airline almost nothing since they don't open up additional rewards inventory to match. That is, United could give Bennett a million miles (equivalent to about 40 domestic cheap roundtrips, or several international business or first class trips) by merely changing numbers in their database. They don't actually incur any significant expense because they open the same amount of rewards inventory (seats that can be purchased by miles) as they always would, and then instead of somebody else miles-ing that one seat, Bennett gets it.
Sure, there are knock-on effects that a real FF misses out on the reward, they become disgruntled with the program, people have to sit next to Bennett, whatever. But airlines are generally very free-wheeling with giving out miles (try it yourself - you can usually get ~1/8 of the way to a domestic RT for something as minor as your video screen not working if you write in to complain) because they know it doesn't really truly cost them that much.
1. Re:Additional context for non-frequent flyers by ErichTheRed · 2015-06-26 06:08 · Score: 2
  
  Yes, it's easy to just grant FQTV miles arbitrarily, but airlines do somewhat treat them like currency. Also, the old-school domestic airlines (AA, UA, DL, hey, are there really only 3 left???) rely heavily on business travelers so it's in their best interest to not water down their programs. But you are right - unless they specifically block out inventory, they won't lose money, especially for a one-off bug bounty payment.
  Look at FlyerTalk forums sometime. All those consultants working for the Big 4, or traveling salesmen, or midlevel corporate executives are on there complaining constantly about a perceived slight or loss of benefit. I know a bunch of consultants who easily fly 40+ weeks out of the year. I can definitely see someone being upset about service if they have to endure that much flying, but there are some people who really take it to an extreme. One example would be just missing a status level unless you happen to book an around-the-world trip by the end of the year, and literally sitting on the plane for 48 hours to rack up miles. I guess I'd be a little upset if I did a mileage run and then couldn't get anything for it, but still...
  It's even more interesting now with Delta. DL has decided they actually want to sell first class seats to paying customers, so they're reducing the price from, say, 8x economy price to 3x economy price. That really stirred up a s**tstorm with heavy Delta flyers -- suddenly it's a million times harder to get a free upgrade unless you're Platinum Elite. I'm a moderate flyer, never enough to even get the first status level in a FF program, but I always just end up buying tickets over the long run with what I rack up. That seems to work for me....that and hotel points -- taking a family of four on a trip is easier with the occasional free hotel night Marriott throws me.
2. Re:Additional context for non-frequent flyers by im_thatoneguy · 2015-06-26 09:53 · Score: 1
  
  Most United Frequent Flyer awards though aren't claimed though. Except for really popular routes at popular times you can get a Saver Frequent Flyer ticket almost anywhere. Your assertion assumes that Award tickets are always completely filled. Especially considering that most Airlines can now sell out entire flights most of the time that means they are missing out on some revenue.
  Frequent flyer programs do cost money but they also do make a lot of money too. Both through Credit Card fees and because if you do legitimately concentrate on one airline you will spend a little extra for the miles. For instance I'll fly a preferred airline even if it's $120 more on a $1,000 ticket because the miles (Especially status miles) are worth $120. So not only are they making more on their sale than a competitor but they're making the sale in the first place. If you fly randomly on random airlines, almost nobody will earn enough reward miles on any given airline to ever redeem them at all.
Re:Fuck you Bennet by Anonymous Coward · 2015-06-26 05:41 · Score: 0

Dang, brother. You always like this or you just don't like Bennet? Let's keep it clean kids.
A million miles on United? by Virtucon · 2015-06-26 05:47 · Score: 4, Funny

That's like 10 years in Leavenworth.

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"
1. Re:A million miles on United? by Anonymous Coward · 2015-06-26 08:00 · Score: 0
  
  Now instead of waiting in line for ice at Burning Man, Bennett can now calculate wait times for inmates waiting to pound his ass in federal prison.
If you get them to honor it... by Overzeetop · 2015-06-26 05:48 · Score: 3, Funny

Good News - you've got a million frequent flyer miles!
Bad News - you have to fly United.

--
Is it just my observation, or are there way too many stupid people in the world?
Fix the Date, Phone and Reservation ID by Art+Challenor · 2015-06-26 05:49 · Score: 1

Haven't tried United recently, but websites where they ask you for a US phone number and then complain that you entered dashes, spaces, etc. really piss me off. A US phone number is 10 digit. If you ignore everything that isn't a digit and end up with 10 digits (or it starts with a 1 and you have eleven) then it's a freaking phone number.

Credit card numbers ditto.

Reservation number. If the first character is a space (as it often is after a copy/paste from e-mail) then ignore it and take the rest of the characters and see if they match the format you defined.

The date is a little trickier but not much.

If the people you hired to program the site can't manage these simple basics, there's really not much hope that the site is secure.
You forgot to mention one thing... by bobbied · 2015-06-26 05:51 · Score: 2

One of the terms here is that your submission "MUST BE THE FIRST" that specifies the successful attack...
If you don't know for sure yours was the first (and there is no way you can) it's up to United to respond or not and pony up with the miles or not. So you did all that work, proved the attack works, but you don't really know if United hasn't already validated somebody else's submission for this and paid THEM the miles you think they owe you.
Then there is the whole, how do you know they actually received it vector....
Look, you are unlikely to get anything out of United on this. Stop wining about it and move on.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
1. Re:You forgot to mention one thing... by bennetthaselton · 2015-06-26 10:15 · Score: 1
  
  That's even worse, because that means they know about this gaping hole that lets you steal other users' 4-digit PINs, and they still haven't fixed it. (It should not take long to push an update to their site that removes the "PIN" option from the "forgot your account number" page -- and it should not negatively impact their users either, since you can still retrieve your account number if you enter your name along with your address, your email address, your phone number, or your password.)
2. Re:You forgot to mention one thing... by AmiMoJo · 2015-06-27 00:51 · Score: 1
  
  Any reasonable bug bounty programme should pay out if you report a bug while it's live. It's only fair, especially if the goal is to stop bugs being sold as zero day.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
They probably never got the email by rebelwarlock · 2015-06-26 06:01 · Score: 1

Didn't you whine a lot before about how spam filters always weed out your inane drivel?
1. Re:They probably never got the email by Anonymous Coward · 2015-06-26 08:33 · Score: 0
  
  Or if they got it, they fell asleep reading it.
2. Re:They probably never got the email by bennetthaselton · 2015-06-26 10:16 · Score: 1
  
  Yes. But those were for mails being sent from the peacefire.org server itself. The emails I sent to United were sent through my Gmail account, through Google's SMTP servers, so those mails are less likely to be blocked.
Which is a fucking retarded premise by Anonymous Coward · 2015-06-26 06:05 · Score: 0

"We'll pay you for your security vuln, but you can't use Brute Force because we know our shit is extremely insecure already"
hahahaahahaaaaa, what a bunch of pathetic twats. Good to this guy for "brute forcing" hahaahahah their insecure 4 digit pin.
Why Brute Force PIN? by freak0fnature · 2015-06-26 06:08 · Score: 1

I'd be more concerned that you can use first name, last name and phone number. Your example takes 10000 PIN attempts with a given first and last name, where you could script it to go through a phone book and have legitimate combinations of the 3. The same goes for email. And on that note, the article just says success indicates if the account exists....I don't see anything about actually being able to reset your own password using this method.
1. Re:Why Brute Force PIN? by bennetthaselton · 2015-06-26 09:47 · Score: 1
  
  That's correct, this attack doesn't let you reset a user's password. It only lets you find out their 4-digit PIN, which is (1) bad in and of itself, and (2) bad because the person probably uses the same 4-digit PIN for other services that require one.
  
  By contrast, if you enter a known first-name/last-name/phone-number combination, all the site does is tell you that's a valid combination -- but you already knew that before you entered it, so there's no attack there.
  
  Thank you however for posting a non-deranged comment!
tl;dr: meh by JoeyRox · 2015-06-26 06:15 · Score: 1

And more meh.
Re:Nobody cares. by Anonymous Coward · 2015-06-26 06:18 · Score: 0

The Dice Slashdot administrators should reseed the DB's post ID column to 50000001, and then link the cid=50000000 page to one that shows a picture of goatse. That would be a fitting tribute to the Slashdot of days gone by.
Great News by GameboyRMH · 2015-06-26 06:33 · Score: 1

I hope Bennett gets his million free air miles so that he'll spend more time traveling and less time writing Slashdot submissions!

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
1. Re:Great News by kimvette · 2015-06-26 08:09 · Score: 1
  
  They promise "up to" one million free miles...
  0 = 1000000 therefore they are living up to their promise... technically....
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
2. Re:Great News by kimvette · 2015-06-26 08:10 · Score: 1
  
  hmm make that "less than or equal to"
  I forgot /. requires & l t ;
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Might be helpful. by Anonymous Coward · 2015-06-26 06:38 · Score: 0

http://hackerfactor.com/blog/index.php?/archives/674-The-Friendly-Skies.html
More like... by Overzeetop · 2015-06-26 06:49 · Score: 1

...13 or 14 if you factor in the number of times your flight will be delayed or cancelled.

--
Is it just my observation, or are there way too many stupid people in the world?
Well... by Anonymous Coward · 2015-06-26 07:03 · Score: 0

You were most likely writing to their IT staff.
...
In the aviation industry, most of these staff have probably worked their for quite a while.
...
At least one of them is probably a regular reader of Slashdot.
...
Any regular reader of Slashdot would recognize who Bennet Haselton is right away.
...
I wonder why.
Dear Bennett, The rules apply to you. read them. by Anonymous Coward · 2015-06-26 07:04 · Score: 0

Don't you have a wordpress site or something? what about a youtube account? Won't you consider leaving slashdot and never returning?
Seriously, I'm starting to worry. From the details of your story, I get the feeling that you actually did this rather than your usual style of making stuff up and submitting it as fact.
In the beginning I thought people here were just picking on you. I'm starting to realize that you are not just some goofy AI re-incarnation of taco
Birthday Attack by gringer · 2015-06-26 07:04 · Score: 1

Keep the option to retrieve your account number by submitting your password, since even weak passwords are far harder to guess than 4-digit PIN numbers.
I don't think that's a reasonable assumption to make, particularly if you don't care about which account you get access to. Instead of guessing a lot of passwords for a single user, you can guess a small number of passwords for a lot of users. This also gets around any limits regarding access for a single account, as has been suggested as a solution. Getting multiple boxes to carry out this operation gets around limits regarding account access from a single IP address.
If you choose a sufficiently common weak password (and United's password system allows people to enter such passwords by default), then the chance of discovering a correct user/password combination is pretty high.

--
Ask me about repetitive DNA
1. Re:Birthday Attack by bennetthaselton · 2015-06-26 10:19 · Score: 1
  
  That's absolutely right, I mentioned this in the article (in the section starting with "However, if the attacker has a database of 1000 customer names...") but in the context of using it on PINs instead of passwords.
  
  Basically, they allow really weak passwords, then any attack that works on PINs will work on passwords. (Well, almost -- even if they allow weak passwords, at least they can't force everyone to have a weak password -- they do however force all new users to choose a 4-digit PIN.)
Does 10,000 hits really count as brute force? by grahamsz · 2015-06-26 07:20 · Score: 1

These days we talk about brute forcing keys with trillions of possible candidates, this is more like "slight" force rather than brute force.
1. Re:Does 10,000 hits really count as brute force? by Anonymous Coward · 2015-06-26 18:01 · Score: 1
  
  Yes it qualifies as brute force.
Simple: This is not a security "hole". by gweihir · 2015-06-26 07:24 · Score: 1

This is a designed-to-be vulnerable (by idiots, but still) thing. They only pay for unintentional vulnerabilities.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Fuck you Bennet by Anonymous Coward · 2015-06-26 07:31 · Score: 0

AND....this is why I rarely come to Slashdot. Too many emotionally immature children like you involved... Grow up boy, seriously.
I wouldn't pay either. by Anonymous Coward · 2015-06-26 07:46 · Score: 0

Your "hack" is script kiddie grade shit.
hey editors by surd1618 · 2015-06-26 08:06 · Score: 1

So I understand the free speech libertarian if-it-gets-comments-we-run-it thing, but the comments on this article, while numerous, are 90% paraphrasable as "Why the @#$ is this on /.?"
So... ?
1. Re:hey editors by Anonymous Coward · 2015-06-26 11:07 · Score: 0
  
  that's not a "free speech libertarian... thing"; that's an asshole thing. i mean, yes, there is a lot of overlap, but they're not exactly the same.
  captcha: vanities
"Up to" one million miles by kimvette · 2015-06-26 08:08 · Score: 1

0 is = 1000000 so they are living up to their word, unfortunately.

--
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
1. Re:"Up to" one million miles by kimvette · 2015-06-26 08:11 · Score: 1
  
  hmm make that "less than or equal to"
  I forgot /. requires & l t ; (the html code for the left angle bracket)
  trying again...
  0 is <= 1000000 so they are living up to their word, unfortunately.
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
2. Re:"Up to" one million miles by Anonymous Coward · 2015-06-26 11:09 · Score: 0
  
  did you mean <
3. Re:"Up to" one million miles by kimvette · 2015-06-26 11:43 · Score: 1
  
  AS evidenced by the line following "trying again...." yes ;)
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
I had a similar experience. by Anonymous Coward · 2015-06-26 08:11 · Score: 1

I worked at a hospital that had a 'contest' for cost savings ideas. You were to receive a coffee mug for just submitting an idea, and if you actually saved them money, the'd pay you 10% of the savings. I suggested that they stop giving away coffee and start charging $0.05 a cup. $0.05/cup would still bring a lot of good will, and it would have made $50 per year on just me, just working every other weekend. 20 cups a day at a nickel a cup would have saved them quite a bit.
They did not even acknoledge my submission. (And, I continued to drink my 20 cups/day for free.)
1. Re:I had a similar experience. by Anonymous Coward · 2015-06-26 09:05 · Score: 0
  
  I worked at a hospital that had a 'contest' for cost savings ideas. You were to receive a coffee mug for just submitting an idea, and if you actually saved them money, the'd pay you 10% of the savings. I suggested that they stop giving away coffee and start charging $0.05 a cup. $0.05/cup would still bring a lot of good will, and it would have made $50 per year on just me, just working every other weekend. 20 cups a day at a nickel a cup would have saved them quite a bit.
  They did not even acknoledge my submission. (And, I continued to drink my 20 cups/day for free.)
  Chances are they didn't accept your submission because the ROI was all wrong.
  They figured no one should last a year drinking 20 cups of coffee every day.
2. Re:I had a similar experience. by behrooz0az · 2015-06-30 06:37 · Score: 1
  
  In a hospital, hmm, kudos to them for not making doctors, nurses, patients, ... touch filthy coins.
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Re:Nobody cares. by Anonymous Coward · 2015-06-26 08:17 · Score: 0

OH GOD NOW I'M WATCHING FOR THIS.

Caps were required for the beginning, then I noticed I had gone too far. We don't turn back in this family!
ITT by slashdime · 2015-06-26 08:35 · Score: 1

Bennett shows that he logs onto United webpage the same way he tries to write a decent article: brute force.
1. Re:ITT by bennetthaselton · 2015-06-26 10:23 · Score: 1
  
  except I did log on to United
you are not patient enough by Anonymous Coward · 2015-06-26 09:05 · Score: 0

I submitted bugs like a week after the program was announced, I just got contacted last week. You are not waiting long enough for a response.
Hah by wonkey_monkey · 2015-06-26 09:14 · Score: 1

The headline begins with "My" and the submitter is...

--
systemd is Roko's Basilisk.
Pertinent is the legal theory of... by Anonymous Coward · 2015-06-26 09:33 · Score: 0

... fuck you Bennett you fucking cunt fuck.
Bullshit by ItsPaPPy · 2015-06-26 09:38 · Score: 1

On the first day I found XSS flaw on their website on day one and reported it. A month later they change the rules and exclude that sub domain and tell me thy aren't taking submissions for that domain.
HE'S BACK!!!!! by thegarbz · 2015-06-26 11:24 · Score: 1

Oh how I missed you. Hey a suggestion for the future: You should host your blog at medium.com and just link every Slashdot story to it. The resulting singularity may be able to be harnessed for clean energy. Dice would be on board if they can put a billboard up next to it.
1. Re:HE'S BACK!!!!! by Anonymous Coward · 2015-06-26 16:55 · Score: 0
  
  I had to do a search to see if he is a real person. He has a Wikipedia page, that reads like his submissions here. It was marked for deletion today and will be gone July 3 if no one else does anything.
  Actually the description of his life reads like his postings here.
2. Re:HE'S BACK!!!!! by Anonymous Coward · 2015-06-26 17:52 · Score: 0
  
  I had to do a search to see if he is a real person. He has a Wikipedia page, that reads like his submissions here. It was marked for deletion today and will be gone July 3 if no one else does anything.
  Actually the description of his life reads like his postings here.
  Quote from Wiki page talk tab "He's a fully accredited moron." I liked the fact it was footnoted back to slashdot. Tim S.
So.... by tommeke100 · 2015-06-26 11:25 · Score: 1

Bennett Haselton, that's your first and last name, right ? .....
Re:Nobody cares. by fulldecent · 2015-06-26 14:37 · Score: 1

I missed the boat... posted the comment to the wrong story AND made it too late http://yro.slashdot.org/commen...
But I'm having trouble finding who DID make it.

--
-- I was raised on the command line, bitch
"Eating your words" != GOOD nutrition by Anonymous Coward · 2015-06-26 14:54 · Score: 0

"Your hosts file comments are not trustworthy" - by omnichad (1198475) on Friday August 09, 2013 @11:22AM (#44520759)
Oh, really? Ok: MalwareBytes' hpHosts Admin (MalwareBytes employee who has seen & verified its sourcecode too no less as safe) hosts & recommends it -> http://hosts-file.net/?s=Downl...
&
MalwareBytes = BEST antivirus (per this VERY recent testing of them all) -> http://www.av-test.org/en/news...
&
It's GUARANTEED safe & clean (per it being checked by 57 antivirus programs recently) in BOTH its 64-bit model -> https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
---
Tells us, omniweasel:
* HOW'S IT TASTE "EATING YOUR WORDS" flavored with your FOOT IN YOUR MOUTH ramming them down spiced with the BITTER TASTE of SELF-DEFEAT"?
LMAO...
APK
P.S.=> Lastly: In the past, You also conceded MANY points on hosts to me & made huge mistakes vs. me here http://tech.slashdot.org/comme...
&
Here too http://tech.slashdot.org/comme...
LMAO @ U, "omniloser"... apk
Mine got accepted. by Anonymous Coward · 2015-06-26 17:53 · Score: 0

Took a while (submitted a day after the announcement), but I heard back just recently. Details omitted because I don't have confirmation the bugs are fixed.
I know united hasn't handled this particularity smoothly, but at least they're trying which is more than most non-tech companies can say. Let's give them some time to try to iron out the kinks before we lambast them in an obnoxious WhenDidSlashdotBecomeYourBlog post.
Prarie shit by Hognoxious · 2015-06-26 20:37 · Score: 1

It's completely clear: they don't, otherwise why bother writing "on other users"?
If I say "don't drink the beer on the table" that means you totally can drink the lemonade, or the beer in the cupboard. If I'd meant "don't drink" that's what I'd have said.
However, later it says brute force attacks aren't allowed, with no restriction or qualification.
Though it pains me most grievously, I can sympathise with Bonehead Hamsterbum to an extent - the rules are badly written. They break DRY, except it's even worse because by not-quite-exactly repeating it's inconsistent. Thus, it's unclear which takes precedence.
Which I contend, M'Lud, is the crux of the case.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I donno if I'm missing something... by __aabppq7737 · 2015-06-26 23:55 · Score: 1

but did Apple require all new iDevices running iOS 9 to have minimum of 6 digit PINs for this reason? (brute force attacks)
Re:Nobody cares. by rduke15 · 2015-06-27 00:13 · Score: 1

Can't find it either. Only found
49999999 - Glaing Error (Score:-1, Flamebait)
And 50000003 - many (Score:2)
Re:Fuck you Bennet by the_digitalmouse · 2015-06-27 23:02 · Score: 1

This is why the vulgar poster is listed as "Anonymous" - got no balls of his own. So the 'children' quip is fitting.

--
http://about.me/jimm.pratt
hacking by Anonymous Coward · 2015-07-01 13:13 · Score: 0

If you ever need spywork done on anyone, clear criminal records, hack into any account including banks or simply have a bone to pick with someone brainlink99@gmail.com is the go to guy