My United Airlines Website Hack Gets Snubbed 187
United Airlines announced the program in May (also specifying rules which specifically prohibited hacking in-flight systems, but which included "[t]he ability to brute-force reservations, MileagePlus numbers, PINs or passwords".) I poked around on their website and discovered that on their "Forgot your MileagePlus number?" page, you can request a reset of your password by submitting your first and last name, AND any ONE of the following:
- your e-mail address
- your street address
- your phone number
- your PIN
- your password
- your "old MileagePlus number"
And after submitting your information, the page will tell you whether your information matched an existing MilagePlus customer record.
This means that if you know a user's first and last name, you can guess their PIN, and the MileagePlus site will tell you whether you got it right or not. If the site doesn't limit your number of guesses, you can write a script that iterates through all 10,000 possibilities for the PIN until it finds the right one.
I wrote a script that did exactly that, and brute-forced my own account's PIN in a few hours (submitting one guess at a time, and running at 2 a.m. so as not to impact any other users). This means that United's website is not limiting the number of guesses per IP address, or showing a CAPTCHA after some number of failed attempts, or limiting the number of guesses per hour on a particular account, or any other countermeasures that you might expect. (The Bugs Bounty Program rules state, "[W]e do not allow execution of brute-force attacks on other users," which I interpreted to mean that brute-forcing your own account ought to be fine.)
So, United, if you're reading this, the immediate fix should be to disable the "PIN" option on the "Forgot your MileagePlus Number?" page. Keep the option to retrieve your account number by submitting your password, since even weak passwords are far harder to guess than 4-digit PIN numbers. But get rid of the PIN option.
I mentioned other possible countermeasures, including limiting requests per IP address and showing a CAPTCHA, but I actually don't think either of these would be effective. If you limit requests per IP address, any serious adversary will have a botnet of machines that they can use to submit requests from different addresses. If you make the user type in a CAPTCHA to submit a request, an attacker can hire workers online to read and type in the CAPTCHAs for a penny apiece. If you limit the number of reset attempts per hour on a particular account, that will slow down the attacker's attempts to brute-force the PIN for a particular account. However, if the attacker has a database of 1000 customer names and wants to find PINs for all of them, on Day 1 they could try 10 PINs for customer 1, then 10 PINs for customer 2, and so on up to customer 1000, and then on Day 2 they could try the next set of 10 PINs on customer 1, customer 2, etc. The attacker can't find any particular customer's PIN quickly, but they will be able to recover all of the customers' PINs slowly -- even though they never did more than 10 PIN authentication attempts on any particular account in the same day. Without a safe countermeasure, then, simply getting rid of PIN authentication would be the best fix.
It's because of attacks like this that I would argue that 4-digit PINs should never be used by themselves for authentication, if there's any possibility of a brute-force attack. They should only ever be used (a) for authentication in conjunction with something else, like a password (for example, if you're already logged in to a financial services account, you could require an additional 4-digit PIN to transfer money to another user); or (b) in a scenario where a brute-force attack is infeasible (for example, if you call tech support and a live human operator asks you to authenticate yourself with a 4-digit PIN).
The same attack is probably possible on the MileagePlus login page, since you can log in using your 4-digit PIN as an alternative to your password. However, this is less of a glaring security hole, because to brute-force a someone's PIN number on that page, you would have to at least know their MileagePlus number. The "Forgot Your MileagePlus Number?" page, on the other hand, allows you to brute-force someone's PIN number when all you know is their name.
As is often the case with stolen PINs and passwords, the most harmful effect here would probably not be the compromising of the user's MileagePlus account. The biggest problem is that most users use the same PINs and passwords for multiple accounts, and the attacker now has the 4-digit PIN that the user probably uses for their voicemail password, their ATM card, their burglar alarm, and who knows what else.
I first sent sent two emails about this to United's bug bounty email address reporting the issue on May 23, a few hours apart, and then followed up on June 1 asking if anyone had seen the first messages. I still have not receive a response.
So why didn't United reply? Have they just been receiving too many submissions by email? About 18 months ago I wrote about a researcher who emailed a security hole to Google and never heard back from them, even after they fixed the issue (although Google apologized and paid him his reward after the article ran). I suggested that if email submissions sometimes get back-logged, it would be a more effective approach to have email submissions reviewed by a lower-paid, less-experienced team of interns than by senior security researchers. The principle is that while it takes experience to find and fix security holes, it only takes some simple logical reasoning skills to evaluate whether a particular discovery constitutes a security hole, so the work can be farmed out to interns who want to gain work experience. By having each submission reviewed by, say, 3 randomly chosen interns from your pool of evaluators, you can churn through the submissions faster and reduce the chances of a legitimate bug falling through the cracks.
I'm sure some of the submissions are crap, and it's not United's fault if they initially got behind because they got more mails than they expected. But as soon as they realized they were getting swamped, they should have put more people on it -- even if those extra people were IT interns with just enough computer experience to read a bug description and tell if it was legit.
And one of the interns could also proofread the submission guidelines. Currently, under "things we will pay 250,000 miles for", the program page lists: "Brute-force attacks." Under "things that will result in criminal prosecution," the same page lists: "Brute-force attacks." If United keeps both promises, I hope my air miles don't expire before I get out of jail.
No More Bennett (Score:5, Interesting)
I was surprised to find this show up on the Slashdot front page, and then realized that since the last time we had a Bennett post, I had switched computers, and so my user script to block them was no longer installed. Since I'd already seen it, though, I figured I'd post a link to the script again: https://gist.github.com/anonymous/3235db049b18699c082b#file-gistfile1-txt [github.com].
This article isn't as stupid as Bennett's normal tripe; at least he seems to have identified a real issue here, although Slashdot is still allowing him to use their website as his personal blog. One amusing thing, though: he's complaining that United isn't responding to his emails about the hole. I've asked Slashdot repeatedly (through both e-mail and comment threads) to make it possible for us to block Bennett posts, or at least to comment on why they won't. The Slashdot staff have, so far, completely ignored me. They have apparently been too busy adding "share to TwitBook" buttons to the stories.
Re: (Score:2, Insightful)
I think this is the first time I've seen an article title in first person, as well. It's not enough that Bennett uses /. as his personal blog, but now he's even talking about himself on it.
Re: (Score:2)
Thanks for your script. I modified it to also block posts from StartsWithABang just in case he comes back
Re: (Score:2, Informative)
Don't forget Roland Piquepaille ;)
You might need something more powerful than a script if he comes back [wikipedia.org].
Re: (Score:3, Insightful)
Re:No More Bennett (Score:4, Interesting)
The program details specifically say that. He's an idiot, but we all knew that.
Re: (Score:3)
Brute forcing your own account isn't banned. But it's not rewarded, either. That's what the "If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it." bit of the rules means.
In other words, no, Bennett, you did not outsmart those meanies in charge of making the rules of this bug bounty system. Your hack wasn't particularly clever, so doesn't get rewarded as if it were. However, the bug report itself is probably valid, and United obv
Prarie shit (Score:2)
It's completely clear: they don't, otherwise why bother writing "on other users"?
If I say "don't drink the beer on the table" that means you totally can drink the lemonade, or the beer in the cupboard. If I'd meant "don't drink" that's what I'd have said.
However, later it says brute force attacks aren't allowed, with no restriction or qualification.
Though it pains me most grievously, I can sympathise with Bonehead Hamsterbum to an extent - the rules are badly written. They break DRY, except it's even wors
Does 10,000 hits really count as brute force? (Score:2)
These days we talk about brute forcing keys with trillions of possible candidates, this is more like "slight" force rather than brute force.
Re: (Score:2)
Is it for adblock?
Re: (Score:2)
In chromium/chrome, you can save the file as "nobennett.user.js" and drag it from your file manager onto the chrome://extensions page; chrome will then give you a popup to ask you to confirm.
In firefox, you can install it using the Greasemonkey plugin.
There might be other options for other browsers; this was the first/only user script I've ever written, so I don't know all the tricks.
Re: (Score:2)
Nice and clean. Thanks.
Re: (Score:2)
1. Massive clickbait to sell to advertisers.
2. Not a single positive comment from their contributors.
It's a sad situation that I come to this site to read the insights of fellow slashdotters, from whom I have learned a great deal, when my visit is earning money for a set of cynical p
Re: (Score:2)
I actually thought we were done with him. I was actively checking the names of posts in my RSS feed I thought sounded stupid and didn't see him on any, despite having no script for blocking. Damn.
Re: (Score:2)
Re: (Score:2)
That word does not mean what you think it does.
No brute-forcing murky... or clear? (Score:5, Informative)
While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.
Re: (Score:1, Redundant)
"we do not allow execution of brute-force attacks on other users"
he did it to his own account
Re: (Score:3, Informative)
Under "DO NOT ATTEMPT" it Clearly states that Brute Force Attacks are not allowed. That's about as clear as they can make it. It's the TOP ITEM under "Don't do this or we will disqualify you and possibly start a criminal investigation"
Do not attempt:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portal
Re: (Score:2)
This isn't a BRUTE force attack. This is just a force attack.
If a server has an issue with 10k requests at night when nobody is using it over a few hours, then they have much bigger problems!
Re: (Score:3)
Brute force has absolutely nothing to do with what the server can handle, it just means trying every possibility.
Re: (Score:2)
There's no brutality in this attack,
Oh for Christ's sake. That's not what "brute" in "brute force attack" means. You are an idiot.
He isn't pushing the system to the limits while going through all the possible values, which is what happens in traditional brute force attacks.
Brute force attacks don't require pushing the system to its limits. Brute force attack means using a blunt object (all possible combinations) instead of a finer method (SQL injection, etc) to gain access.
The ban on that type of attack is to prevent the researchers to overload the servers.
No it isn't. The ban on getting credit for reporting that type of hack is because it isn't a hack. It is simply using all possible combinations of access credentials until access is granted. It isn't finding a b
Re: (Score:3)
You could easily refine this based on the logic that users are horribly bad at choosing passwords and pins
http://www.datagenetics.com/bl... [datagenetics.com]
You only need to try 426 codes to hit 50% of all pin codes (in that analysis)
Re:No brute-forcing murky... or clear? (Score:4, Insightful)
I have an idea. How about you learn something [wikipedia.org] before you talk out of your ass? Brute force has never, in the entire lifetime of the phrase, meant that you were pegging a server while you are trying every possibility for the password on an account. Hell, if I send a username and next-in-series password at a rate of one every 20 minutes, that's still classified as a brute force attack, and unless the server is really anemic, there's no chance in Hell that the server is going down. If I'm doing that same type of attack at a rate of 200 attempts per second, or even 2000 attempts per second, that's still not going to blip much on the server's CPU unless it's already bogged with another process, and those are STILL classed as brute force.
The type of attack you're looking for is Distributed Denial of Service, which isn't generally for breaking into accounts but taking the server down with an overwhelming number of requests or pings that the server doesn't have the resources to be able to respond to any further requests.
Re: (Score:2)
If a server has an issue with 10k requests at night when nobody is using it over a few hours, then they have much bigger problems!
It is daytime somewhere on the planet all the time, United flies internationally, and there are good reasons why someone even in the US would use the United web system when it is their local nighttime. Your excuse that it was "at night when nobody is using it" is ridiculous. People use it all the time. The interwebs are international in scope, dude.
"At night" doesn't mean it wasn't brute force. Brute force, as another has already pointed out, means "trying all combinations", not "there's only 10,000".
And
Re: (Score:2)
You can still mitigate brute-forcing by putting a waiting period between attempts. And a PIN with only 10,000 combinations absolutely needs protection. So if they left it unprotected, they should fix it.
Re: (Score:2)
Re: (Score:2)
You report it to them and they test it.
Bug Bounties . . . (Score:2)
. . . are usually crap.
"My" (Score:5, Insightful)
If the title of your post starts with "my", and it isn't on Ask Slashdot, you are a douche.
Re: (Score:1)
TILSIAK (Today I Learned Something I Already Knew):Bennett Haselton is a douche.
You must be new here.
If you think you're in the right... (Score:2)
sue them.
Re: (Score:2)
Um... Did you actually read the program? (Score:5, Informative)
Bugs that are eligible for submission:
The ability to brute-force reservations, MileagePlus numbers, PINs or passwords (Note: While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.)
Do not attempt:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
Brute-force attacks
So... It looks like you didn't follow the rules & tested a brute force attack. That straight away says that they will most likely ( and with valid reasoning ) disqualify you from the program. Since you used your account only, they will likely not prosecute. You still broke the rules and will probably not get anything except kicked out.
Re:Um... Did you actually read the program? (Score:4, Insightful)
Yeah, he interpreted it as forbidding brute-force testing against other users, but allowing brute-force against one's own account when it's clear that it actually means "don't test brute-force attacks at all"
Frequent Contributor Bennet Haselton is coming across as a bit "Autistic spectrum-y" in this story.
Re: (Score:2)
>> (Note: While we accept bug reports on the ability to conduct brute-force attacks...
> when it's clear that it actually means "don't test brute-force attacks at all"
I hate Bennet Haselton as much as the next man, but you are actually wrong according to GP's quote from the rules.
Re: (Score:2)
I hate Bennet Haselton as much as the next man, but you are actually wrong according to GP's quote from the rules.
He is actually right, according to GPs quote from the rules.
He attempted a brute-force attack. From the fine summary:
So our fine author admitted he did what the rules prohibited. The rules appear quite clear: they will accept reports of how a brute-force attack c
Re: (Score:2)
Why on Earth aren't you allowed to test brute force attacks against your own account?
Because it isn't your computer and the people who own the computer say you aren't allowed to. Because, while THIS brute force attack may have -- we assume -- little effect on the servers being attacked, other brute force attacks may not be as benign. Because you may not be as good a programmer as you think you are and your "benign" brute force attack may turn out to be quite disruptive. But the main reason is given in the topic sentence of this paragraph.
Re: (Score:2)
Yeah, he interpreted it as forbidding brute-force testing against other users
That's right, since it said "we do not allow execution of brute-force attacks on other users"
Re: (Score:2)
You seem to have accidentally hit the "coming across as a bit " key on your keyboard, the "-y" key, and the " in this story" key.
Your keyboard looks mighty strange from over here.
Re:Um... Did you actually read the program? (Score:4, Insightful)
Re: (Score:2)
Try 10 times and assume that there isn't a cap after that. Much easier on the servers than 9999 password reset attempts.
This is a huge security vulnerability and they should patch it. But he also blatantly broke the rules.
Re: (Score:2)
Please provide pseudocode that determines whether he used brute-force. Be sure to fully justify, with citations where possible, any violation of the zero-one-infinity rule [wikipedia.org] in your answer. For example, why 10 attempts? Why not 9, or 11?
If you can do this, then your claim that he "blatantly" broke the rules might be valid. Good luck!
Re: (Score:2)
You have to give them the benefit if the doubt. If they refuse to pay up you go public with your complaint and maybe threaten legal action. In the UK you can use the small claims system that only costs about $50, no lawyer needed.
And next time you sell the vulnerably on the open market, as does everyone else who read your warning.
Re: (Score:2)
Sorry, that would be brute-forcing. Try again.
Re: (Score:2)
So really, they are doing him a favor by ignoring him.
If they acknowledge it, they have to kill his account and possibly report him to the authorities.
I tried... (Score:5, Funny)
But they said there was now a $50 service fee in order for me to submit my bug. They said something about how fuel prices had gone up and they had no choice but to start charging the fee.
Maybe your report was too long. (Score:5, Funny)
If your bug submission was anything like your Slashdot submissions, their eyes glazed over after the first three paragraphs and they didn't even read the other eight pages where you actually explained the hack.
Re: (Score:1)
Is Haselton going to jail? (Score:2, Insightful)
http://www.united.com/web/en-US/content/contact/bugbounty.aspx#terms
Do not attempt:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation[!!1!]. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
Brute-force attacks
Code injection on live systems
Disruption or denial-of-service attacks
The compromise or testing of MileagePlus accounts that are not your own
Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact or Nessus)
Please, please, please, let it happen!
Re: (Score:2)
The thing is, you can't find a brute force attack without testing it. And this one is so basic that it's mind boggling that even a clueless web designer let it slip though. This is one that can't be reasonably reported without testing it.
Mind you, I'm as in favor ore Bennett Hassleton being sodomized by a mutant goat on Viagra as anybody, but United's position is, frankly, kinda silly.
Re: (Score:1)
The thing is, you can't find a brute force attack without testing it.
Yes you can. Are there captcha codes for instance? Can you make more than X (where x is a reasonable number) attempts to incorrectly log in? If no, then you have a brute force vector.
Re: (Score:2)
The thing is, you can't find a brute force attack without testing it.
Of course you can. A four digit PIN is, well, there's only 10,000 possible entries, and you can run through those in a relatively short time.
And this one is so basic that it's mind boggling that even a clueless web designer let it slip though.
Huh? You don't think that United might want to allow their paying customers to be able to recover access to their account in some automated way so they can buy more services from United? This is a design decision, not a simple web-designer screw-up.
Yeah, they could disable an account and force the customer to call a phone number to get it re-enabled, like some webs
Re: (Score:2)
s/United/your bank/
s/recover access to/withdraw money from/
After n failures it should lock, impose a wait, use captchas or something. Design decision my arse.
Re: (Score:2)
I'm not saying they should disable all automated methods to retrieve your account number, just the method that requires a PIN.
I thought you were saying that you were unhappy because they ignored your brute force attack and report of same and didn't hand you a million award miles.
Remember, I said that the "Forgot your account number?" page lets you retrieve your account number if you enter your name along with any ONE of the following: your e-mail address
So you're perfectly happy if someone can "hack" into a United account by knowing someone's name and email address, but not if they know the name and take up to 10000 guesses at the PIN.
your "old MileagePlus number"
And it's ok to brute force the old Mileage Plus numbers (six digits, IIRC), but not a four digit PIN.
Re: (Score:2)
Re: (Score:2)
To hack the account, they need both the account number and either the PIN or password. This allows them to brute force the PIN, and retrieve the account number as a byproduct of that.
No, you don't get the account number that way. The "forgot account number" page uses the customer name and one of the listed items of information to identify your account. If it can identify your account it sends an EMAIL with the account number to the email address of record on that account.
The horrendous failure is that they don't simply pretend to send an email if you get the PIN wrong, they report that they can't find the account. I've had a bank that pretended to send an email and it was VERY conf
Re: (Score:2)
How you test for a brute-force vector without conducting a full brute force attack:
Hey, United, I was able to try 10 user/PIN combinations within 30 seconds of each other and did not hit any timeout walls or seeming account blocks. I was also able to directly use my real account/PIN combination on the 11th attempt that I manually did 5 seconds later and was able to get full access to my account. You might want to take a look at this to make sure that on a proper brute-force scale you're not caught with yo
Re: (Score:2)
Somebody needs to build a Bennett Hassleton goat sim level.
Parent poster has suggested the first activity.
or you could do this... (Score:2)
"Hi. You haven't acknowledged my findings yet. I think I have demonstrated that I've met the requirements of your "bounty". You can of course disagree, and that's fine. There are others who want to buy my work. Should I not hear back from you in the next 14 days, I will do business with them."
Re: (Score:2)
While this shouldn't be on Slashdot (in this format, AKA personal blog post), Bennett's actions are better than trying to coerce them.
Forbidden as per their terms:
Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
Re: (Score:2)
He can't sell that exploit. He's already given it away. Here.
Please tell me about the other amazing business strategies you're contemplating. Your ideas are intriguing to me and I wish to subscribe to your newsletter.
Re: (Score:2)
Quick trip to a federal court for extortion.
Obvious (Score:1)
Had you read the rules, you might have noticed:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation: Brute-force attacks
I thought we were done with this crap... (Score:2)
Re: (Score:2)
pot meet kettle? Just saying..
Write a song about it. (Score:2)
Since Mr Hennet Baselton is a blogger, maybe he should write a post about it. Perhaps it will go viral just like this musician's songs about United breaking guitars [wikipedia.org]. Not.
Jokes aside, I have some friends that are travel agents, and they all seem to shy away from letting their clients fly United.
Typical Bennett noise (Score:1)
No surprises to be found; Bennett chooses a literal interpretation of something to further his own agenda, and disregards the rule saying "If you find a brute force attack, do not attempt it, it is immediate disqualification."
I wish Bennett was as smart as he thinks he is and found something noteworthy enough to be sued for exploiting, but the only hack here is him.
So hey bennet (Score:1)
To be completely honest I enjoy having an occasional Bennett Haselton submission. (And a quick search through slashdot, they are occasional). I learn a little thing and I think a moderate amount. Which is exactly what I come to slashdot for. If you do ever quit submitting to slashdot I may actually look to see if you have a blog.
I always hate when companies have such glaring security flaws and refuse to do anything about it. They deserve what comes to them I guess...
Get around the brute force ban (Score:2)
[shrugs] you could just resubmit it and show the possibility for a brute force without actually admitting that you broke the rules in testing the possibility...
Re: (Score:2)
Not any more. Five thousand slashdotters just did that.
Up to 1 million air miles* (Score:4, Funny)
* Meaning 0 - 1 million air miles
Re: (Score:2)
0..* FTFY
Additional context for non-frequent flyers (Score:1)
Something you may not realize if you're not a frequent flyer is that FF miles cost the airline almost nothing since they don't open up additional rewards inventory to match. That is, United could give Bennett a million miles (equivalent to about 40 domestic cheap roundtrips, or several international business or first class trips) by merely changing numbers in their database. They don't actually incur any significant expense because they open the same amount of rewards inventory (seats that can be purchase
Re: (Score:3)
Yes, it's easy to just grant FQTV miles arbitrarily, but airlines do somewhat treat them like currency. Also, the old-school domestic airlines (AA, UA, DL, hey, are there really only 3 left???) rely heavily on business travelers so it's in their best interest to not water down their programs. But you are right - unless they specifically block out inventory, they won't lose money, especially for a one-off bug bounty payment.
Look at FlyerTalk forums sometime. All those consultants working for the Big 4, or tr
Re: (Score:2)
Most United Frequent Flyer awards though aren't claimed though. Except for really popular routes at popular times you can get a Saver Frequent Flyer ticket almost anywhere. Your assertion assumes that Award tickets are always completely filled. Especially considering that most Airlines can now sell out entire flights most of the time that means they are missing out on some revenue.
Frequent flyer programs do cost money but they also do make a lot of money too. Both through Credit Card fees and because
A million miles on United? (Score:5, Funny)
That's like 10 years in Leavenworth.
More like... (Score:2)
...13 or 14 if you factor in the number of times your flight will be delayed or cancelled.
If you get them to honor it... (Score:4, Funny)
Good News - you've got a million frequent flyer miles!
Bad News - you have to fly United.
Fix the Date, Phone and Reservation ID (Score:2)
Credit card numbers ditto.
Reservation number. If the first character is a space (as it often is after a copy/paste from e-mail) then ignore it and take the rest
You forgot to mention one thing... (Score:3)
One of the terms here is that your submission "MUST BE THE FIRST" that specifies the successful attack...
If you don't know for sure yours was the first (and there is no way you can) it's up to United to respond or not and pony up with the miles or not. So you did all that work, proved the attack works, but you don't really know if United hasn't already validated somebody else's submission for this and paid THEM the miles you think they owe you.
Then there is the whole, how do you know they actually received it vector....
Look, you are unlikely to get anything out of United on this. Stop wining about it and move on.
Re: (Score:2)
Any reasonable bug bounty programme should pay out if you report a bug while it's live. It's only fair, especially if the goal is to stop bugs being sold as zero day.
They probably never got the email (Score:2)
Why Brute Force PIN? (Score:1)
tl;dr: meh (Score:2)
Great News (Score:2)
I hope Bennett gets his million free air miles so that he'll spend more time traveling and less time writing Slashdot submissions!
Re: (Score:2)
They promise "up to" one million free miles...
0 = 1000000 therefore they are living up to their promise... technically....
Re: (Score:2)
hmm make that "less than or equal to" /. requires & l t ;
I forgot
Birthday Attack (Score:2)
Keep the option to retrieve your account number by submitting your password, since even weak passwords are far harder to guess than 4-digit PIN numbers.
I don't think that's a reasonable assumption to make, particularly if you don't care about which account you get access to. Instead of guessing a lot of passwords for a single user, you can guess a small number of passwords for a lot of users. This also gets around any limits regarding access for a single account, as has been suggested as a solution. Getting multiple boxes to carry out this operation gets around limits regarding account access from a single IP address.
If you choose a sufficiently common wea
Simple: This is not a security "hole". (Score:2)
This is a designed-to-be vulnerable (by idiots, but still) thing. They only pay for unintentional vulnerabilities.
"Up to" one million miles (Score:2)
0 is = 1000000 so they are living up to their word, unfortunately.
Re: (Score:2)
hmm make that "less than or equal to" /. requires & l t ; (the html code for the left angle bracket)
I forgot
trying again...
0 is <= 1000000 so they are living up to their word, unfortunately.
Re: (Score:2)
AS evidenced by the line following "trying again...." yes ;)
Hah (Score:2)
The headline begins with "My" and the submitter is...
HE'S BACK!!!!! (Score:2)
Oh how I missed you. Hey a suggestion for the future: You should host your blog at medium.com and just link every Slashdot story to it. The resulting singularity may be able to be harnessed for clean energy. Dice would be on board if they can put a billboard up next to it.
So.... (Score:2)
I donno if I'm missing something... (Score:2)
Re: (Score:1)
I care more about who brute forcrs comment #50000000.
Re: (Score:2)
I missed the boat... posted the comment to the wrong story AND made it too late http://yro.slashdot.org/commen... [slashdot.org]
But I'm having trouble finding who DID make it.
Re: (Score:2)
Can't find it either. Only found
49999999 - Glaing Error (Score:-1, Flamebait) [slashdot.org]
And 50000003 - many (Score:2) [slashdot.org]