A major back-end provider for free flights, hotel bookings, and other points-based rewards had multiple security flaws that potentially put millions of customers’ personal data in jeopardy.
The disclosure was made on August 3rd by cybersecurity researcher Sam Curry and his team, which detected “multiple security vulnerabilities” in the points.com website between March and May.
Curry says these would have allowed an attacker to access customer account details, including names, billing addresses, redacted credit card details, emails, phone numbers, and transaction records.
To put that in perspective, Curry’s team found that 22 million customer records were exposed in one flaw it scrutinized on March 7th. The points.com service is used by airline carriers and hotel chains worldwide, and counts Singapore Airlines, Hilton Honors, Virgin Atlantic Flying Club, and Marriott Bonvoy among its clients.
Curry says he and his team were able to exploit the flaw — which they did only for research and security purposes, and not illegal personal gain — and access “a huge percentage of global rewards programs.”
The point(s) of the story
Not only did this give them access to personal data — which can be sold or used by cybercriminals to facilitate online fraud, phishing, and even ransomware attacks — but it meant they could have tampered with the rewards system points.com is designed to administer on behalf of its client roster.
“The attacker could exploit these vulnerabilities to perform actions such as transferring points from customer accounts and gaining unauthorized access to a global administrator website,” said Curry. “This unauthorized access would grant the attacker full permissions to issue reward points, manage rewards programs, oversee customer accounts, and execute various administrative functions.”
Partner businesses affected by the design glitch included the Virgin Rewards Program, which an attacker could manipulate into giving away free points, and United Airlines, “where an attacker could generate an authorization token for any user knowing only their rewards number and surname.”
Curry added: “Through this issue, an attacker could both transfer miles to themselves and authenticate as the member on multiple apps related to MileagePlus, potentially including the MileagePlus administrator panel.”
Curry stresses that points.com complied swiftly upon being notified of the security flaws, taking affected websites offline promptly before fixing the issues and helping his team to file a detailed cybersecurity report on the issue.
“We reported all issues to the points.com security team who very quickly patched them and worked with us in creating this disclosure,” he said.
Your email address will not be published. Required fields are markedmarked