Slashdot Mirror
My United Airlines Website Hack Gets Snubbed
United Airlines announced the program in May (also specifying rules which specifically prohibited hacking in-flight systems, but which included "[t]he ability to brute-force reservations, MileagePlus numbers, PINs or passwords".) I poked around on their website and discovered that on their "Forgot your MileagePlus number?" page, you can request a reset of your password by submitting your first and last name, AND any ONE of the following:
- your e-mail address
- your street address
- your phone number
- your PIN
- your password
- your "old MileagePlus number"
And after submitting your information, the page will tell you whether your information matched an existing MilagePlus customer record.
This means that if you know a user's first and last name, you can guess their PIN, and the MileagePlus site will tell you whether you got it right or not. If the site doesn't limit your number of guesses, you can write a script that iterates through all 10,000 possibilities for the PIN until it finds the right one.
I wrote a script that did exactly that, and brute-forced my own account's PIN in a few hours (submitting one guess at a time, and running at 2 a.m. so as not to impact any other users). This means that United's website is not limiting the number of guesses per IP address, or showing a CAPTCHA after some number of failed attempts, or limiting the number of guesses per hour on a particular account, or any other countermeasures that you might expect. (The Bugs Bounty Program rules state, "[W]e do not allow execution of brute-force attacks on other users," which I interpreted to mean that brute-forcing your own account ought to be fine.)
So, United, if you're reading this, the immediate fix should be to disable the "PIN" option on the "Forgot your MileagePlus Number?" page. Keep the option to retrieve your account number by submitting your password, since even weak passwords are far harder to guess than 4-digit PIN numbers. But get rid of the PIN option.
I mentioned other possible countermeasures, including limiting requests per IP address and showing a CAPTCHA, but I actually don't think either of these would be effective. If you limit requests per IP address, any serious adversary will have a botnet of machines that they can use to submit requests from different addresses. If you make the user type in a CAPTCHA to submit a request, an attacker can hire workers online to read and type in the CAPTCHAs for a penny apiece. If you limit the number of reset attempts per hour on a particular account, that will slow down the attacker's attempts to brute-force the PIN for a particular account. However, if the attacker has a database of 1000 customer names and wants to find PINs for all of them, on Day 1 they could try 10 PINs for customer 1, then 10 PINs for customer 2, and so on up to customer 1000, and then on Day 2 they could try the next set of 10 PINs on customer 1, customer 2, etc. The attacker can't find any particular customer's PIN quickly, but they will be able to recover all of the customers' PINs slowly -- even though they never did more than 10 PIN authentication attempts on any particular account in the same day. Without a safe countermeasure, then, simply getting rid of PIN authentication would be the best fix.
It's because of attacks like this that I would argue that 4-digit PINs should never be used by themselves for authentication, if there's any possibility of a brute-force attack. They should only ever be used (a) for authentication in conjunction with something else, like a password (for example, if you're already logged in to a financial services account, you could require an additional 4-digit PIN to transfer money to another user); or (b) in a scenario where a brute-force attack is infeasible (for example, if you call tech support and a live human operator asks you to authenticate yourself with a 4-digit PIN).
The same attack is probably possible on the MileagePlus login page, since you can log in using your 4-digit PIN as an alternative to your password. However, this is less of a glaring security hole, because to brute-force a someone's PIN number on that page, you would have to at least know their MileagePlus number. The "Forgot Your MileagePlus Number?" page, on the other hand, allows you to brute-force someone's PIN number when all you know is their name.
As is often the case with stolen PINs and passwords, the most harmful effect here would probably not be the compromising of the user's MileagePlus account. The biggest problem is that most users use the same PINs and passwords for multiple accounts, and the attacker now has the 4-digit PIN that the user probably uses for their voicemail password, their ATM card, their burglar alarm, and who knows what else.
I first sent sent two emails about this to United's bug bounty email address reporting the issue on May 23, a few hours apart, and then followed up on June 1 asking if anyone had seen the first messages. I still have not receive a response.
So why didn't United reply? Have they just been receiving too many submissions by email? About 18 months ago I wrote about a researcher who emailed a security hole to Google and never heard back from them, even after they fixed the issue (although Google apologized and paid him his reward after the article ran). I suggested that if email submissions sometimes get back-logged, it would be a more effective approach to have email submissions reviewed by a lower-paid, less-experienced team of interns than by senior security researchers. The principle is that while it takes experience to find and fix security holes, it only takes some simple logical reasoning skills to evaluate whether a particular discovery constitutes a security hole, so the work can be farmed out to interns who want to gain work experience. By having each submission reviewed by, say, 3 randomly chosen interns from your pool of evaluators, you can churn through the submissions faster and reduce the chances of a legitimate bug falling through the cracks.
I'm sure some of the submissions are crap, and it's not United's fault if they initially got behind because they got more mails than they expected. But as soon as they realized they were getting swamped, they should have put more people on it -- even if those extra people were IT interns with just enough computer experience to read a bug description and tell if it was legit.
And one of the interns could also proofread the submission guidelines. Currently, under "things we will pay 250,000 miles for", the program page lists: "Brute-force attacks." Under "things that will result in criminal prosecution," the same page lists: "Brute-force attacks." If United keeps both promises, I hope my air miles don't expire before I get out of jail.
I was surprised to find this show up on the Slashdot front page, and then realized that since the last time we had a Bennett post, I had switched computers, and so my user script to block them was no longer installed. Since I'd already seen it, though, I figured I'd post a link to the script again: https://gist.github.com/anonymous/3235db049b18699c082b#file-gistfile1-txt.
This article isn't as stupid as Bennett's normal tripe; at least he seems to have identified a real issue here, although Slashdot is still allowing him to use their website as his personal blog. One amusing thing, though: he's complaining that United isn't responding to his emails about the hole. I've asked Slashdot repeatedly (through both e-mail and comment threads) to make it possible for us to block Bennett posts, or at least to comment on why they won't. The Slashdot staff have, so far, completely ignored me. They have apparently been too busy adding "share to TwitBook" buttons to the stories.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.
If the title of your post starts with "my", and it isn't on Ask Slashdot, you are a douche.
Bugs that are eligible for submission:
The ability to brute-force reservations, MileagePlus numbers, PINs or passwords (Note: While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.)
Do not attempt:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
Brute-force attacks
So... It looks like you didn't follow the rules & tested a brute force attack. That straight away says that they will most likely ( and with valid reasoning ) disqualify you from the program. Since you used your account only, they will likely not prosecute. You still broke the rules and will probably not get anything except kicked out.
But they said there was now a $50 service fee in order for me to submit my bug. They said something about how fuel prices had gone up and they had no choice but to start charging the fee.
If you wanna get rich, you know that payback is a bitch
If your bug submission was anything like your Slashdot submissions, their eyes glazed over after the first three paragraphs and they didn't even read the other eight pages where you actually explained the hack.
http://www.united.com/web/en-US/content/contact/bugbounty.aspx#terms
Do not attempt:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation[!!1!]. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
Brute-force attacks
Code injection on live systems
Disruption or denial-of-service attacks
The compromise or testing of MileagePlus accounts that are not your own
Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact or Nessus)
Please, please, please, let it happen!
After not hearing from bennett for so long, I thought slashdot had finally come to it's senses and shit-canned that ass wipe. I guess I'm the ass wipe instead.
* Meaning 0 - 1 million air miles
SJW's don't eliminate discrimination. They just expropriate it for themselves.
That's like 10 years in Leavenworth.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Good News - you've got a million frequent flyer miles!
Bad News - you have to fly United.
Is it just my observation, or are there way too many stupid people in the world?
One of the terms here is that your submission "MUST BE THE FIRST" that specifies the successful attack...
If you don't know for sure yours was the first (and there is no way you can) it's up to United to respond or not and pony up with the miles or not. So you did all that work, proved the attack works, but you don't really know if United hasn't already validated somebody else's submission for this and paid THEM the miles you think they owe you.
Then there is the whole, how do you know they actually received it vector....
Look, you are unlikely to get anything out of United on this. Stop wining about it and move on.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Yes, it's easy to just grant FQTV miles arbitrarily, but airlines do somewhat treat them like currency. Also, the old-school domestic airlines (AA, UA, DL, hey, are there really only 3 left???) rely heavily on business travelers so it's in their best interest to not water down their programs. But you are right - unless they specifically block out inventory, they won't lose money, especially for a one-off bug bounty payment.
Look at FlyerTalk forums sometime. All those consultants working for the Big 4, or traveling salesmen, or midlevel corporate executives are on there complaining constantly about a perceived slight or loss of benefit. I know a bunch of consultants who easily fly 40+ weeks out of the year. I can definitely see someone being upset about service if they have to endure that much flying, but there are some people who really take it to an extreme. One example would be just missing a status level unless you happen to book an around-the-world trip by the end of the year, and literally sitting on the plane for 48 hours to rack up miles. I guess I'd be a little upset if I did a mileage run and then couldn't get anything for it, but still...
It's even more interesting now with Delta. DL has decided they actually want to sell first class seats to paying customers, so they're reducing the price from, say, 8x economy price to 3x economy price. That really stirred up a s**tstorm with heavy Delta flyers -- suddenly it's a million times harder to get a free upgrade unless you're Platinum Elite. I'm a moderate flyer, never enough to even get the first status level in a FF program, but I always just end up buying tickets over the long run with what I rack up. That seems to work for me....that and hotel points -- taking a family of four on a trip is easier with the occasional free hotel night Marriott throws me.