Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Businesses Transportation

My United Airlines Website Hack Gets Snubbed 187

Bennett Haselton writes: United Airlines announced that they will offer up to 1 million air miles to users who can find security holes in their website. I demonstrated a way to brute-force a user's 4-digit PIN number and submitted it to them for review, emailing their Bugs Bounty contact address on three occasions, but I never heard back from them. Read on for the rest. If you've had a different experience with the program, please chime in below.

United Airlines announced the program in May (also specifying rules which specifically prohibited hacking in-flight systems, but which included "[t]he ability to brute-force reservations, MileagePlus numbers, PINs or passwords".) I poked around on their website and discovered that on their "Forgot your MileagePlus number?" page, you can request a reset of your password by submitting your first and last name, AND any ONE of the following:

  • your e-mail address
  • your street address
  • your phone number
  • your PIN
  • your password
  • your "old MileagePlus number"

And after submitting your information, the page will tell you whether your information matched an existing MilagePlus customer record.

This means that if you know a user's first and last name, you can guess their PIN, and the MileagePlus site will tell you whether you got it right or not. If the site doesn't limit your number of guesses, you can write a script that iterates through all 10,000 possibilities for the PIN until it finds the right one.

I wrote a script that did exactly that, and brute-forced my own account's PIN in a few hours (submitting one guess at a time, and running at 2 a.m. so as not to impact any other users). This means that United's website is not limiting the number of guesses per IP address, or showing a CAPTCHA after some number of failed attempts, or limiting the number of guesses per hour on a particular account, or any other countermeasures that you might expect. (The Bugs Bounty Program rules state, "[W]e do not allow execution of brute-force attacks on other users," which I interpreted to mean that brute-forcing your own account ought to be fine.)

So, United, if you're reading this, the immediate fix should be to disable the "PIN" option on the "Forgot your MileagePlus Number?" page. Keep the option to retrieve your account number by submitting your password, since even weak passwords are far harder to guess than 4-digit PIN numbers. But get rid of the PIN option.

I mentioned other possible countermeasures, including limiting requests per IP address and showing a CAPTCHA, but I actually don't think either of these would be effective. If you limit requests per IP address, any serious adversary will have a botnet of machines that they can use to submit requests from different addresses. If you make the user type in a CAPTCHA to submit a request, an attacker can hire workers online to read and type in the CAPTCHAs for a penny apiece. If you limit the number of reset attempts per hour on a particular account, that will slow down the attacker's attempts to brute-force the PIN for a particular account. However, if the attacker has a database of 1000 customer names and wants to find PINs for all of them, on Day 1 they could try 10 PINs for customer 1, then 10 PINs for customer 2, and so on up to customer 1000, and then on Day 2 they could try the next set of 10 PINs on customer 1, customer 2, etc. The attacker can't find any particular customer's PIN quickly, but they will be able to recover all of the customers' PINs slowly -- even though they never did more than 10 PIN authentication attempts on any particular account in the same day. Without a safe countermeasure, then, simply getting rid of PIN authentication would be the best fix.

It's because of attacks like this that I would argue that 4-digit PINs should never be used by themselves for authentication, if there's any possibility of a brute-force attack. They should only ever be used (a) for authentication in conjunction with something else, like a password (for example, if you're already logged in to a financial services account, you could require an additional 4-digit PIN to transfer money to another user); or (b) in a scenario where a brute-force attack is infeasible (for example, if you call tech support and a live human operator asks you to authenticate yourself with a 4-digit PIN).

The same attack is probably possible on the MileagePlus login page, since you can log in using your 4-digit PIN as an alternative to your password. However, this is less of a glaring security hole, because to brute-force a someone's PIN number on that page, you would have to at least know their MileagePlus number. The "Forgot Your MileagePlus Number?" page, on the other hand, allows you to brute-force someone's PIN number when all you know is their name.

As is often the case with stolen PINs and passwords, the most harmful effect here would probably not be the compromising of the user's MileagePlus account. The biggest problem is that most users use the same PINs and passwords for multiple accounts, and the attacker now has the 4-digit PIN that the user probably uses for their voicemail password, their ATM card, their burglar alarm, and who knows what else.

I first sent sent two emails about this to United's bug bounty email address reporting the issue on May 23, a few hours apart, and then followed up on June 1 asking if anyone had seen the first messages. I still have not receive a response.

So why didn't United reply? Have they just been receiving too many submissions by email? About 18 months ago I wrote about a researcher who emailed a security hole to Google and never heard back from them, even after they fixed the issue (although Google apologized and paid him his reward after the article ran). I suggested that if email submissions sometimes get back-logged, it would be a more effective approach to have email submissions reviewed by a lower-paid, less-experienced team of interns than by senior security researchers. The principle is that while it takes experience to find and fix security holes, it only takes some simple logical reasoning skills to evaluate whether a particular discovery constitutes a security hole, so the work can be farmed out to interns who want to gain work experience. By having each submission reviewed by, say, 3 randomly chosen interns from your pool of evaluators, you can churn through the submissions faster and reduce the chances of a legitimate bug falling through the cracks.

I'm sure some of the submissions are crap, and it's not United's fault if they initially got behind because they got more mails than they expected. But as soon as they realized they were getting swamped, they should have put more people on it -- even if those extra people were IT interns with just enough computer experience to read a bug description and tell if it was legit.

And one of the interns could also proofread the submission guidelines. Currently, under "things we will pay 250,000 miles for", the program page lists: "Brute-force attacks." Under "things that will result in criminal prosecution," the same page lists: "Brute-force attacks." If United keeps both promises, I hope my air miles don't expire before I get out of jail.

This discussion has been archived. No new comments can be posted.

My United Airlines Website Hack Gets Snubbed

Comments Filter:
  • No More Bennett (Score:5, Interesting)

    by aardvarkjoe ( 156801 ) on Friday June 26, 2015 @11:57AM (#49995911)

    I was surprised to find this show up on the Slashdot front page, and then realized that since the last time we had a Bennett post, I had switched computers, and so my user script to block them was no longer installed. Since I'd already seen it, though, I figured I'd post a link to the script again: https://gist.github.com/anonymous/3235db049b18699c082b#file-gistfile1-txt [github.com].

    This article isn't as stupid as Bennett's normal tripe; at least he seems to have identified a real issue here, although Slashdot is still allowing him to use their website as his personal blog. One amusing thing, though: he's complaining that United isn't responding to his emails about the hole. I've asked Slashdot repeatedly (through both e-mail and comment threads) to make it possible for us to block Bennett posts, or at least to comment on why they won't. The Slashdot staff have, so far, completely ignored me. They have apparently been too busy adding "share to TwitBook" buttons to the stories.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I think this is the first time I've seen an article title in first person, as well. It's not enough that Bennett uses /. as his personal blog, but now he's even talking about himself on it.

    • Thanks for your script. I modified it to also block posts from StartsWithABang just in case he comes back

    • Re: (Score:3, Insightful)

      by kaiser423 ( 828989 )
      Exactly. This is pretty tripe. He admits up front that the bug bounty program says "No brute forcing of other users account" and then assumes that brute forcing is ok. There's also the possibility that they meant that brute forcing in general is not ok, so just tossed his submission when it arrived because it was a brute force attack. My guess is that they already knew it could be brute forced and were looking for other potential security issues to find and implement as a group before they push the next
      • Re:No More Bennett (Score:4, Interesting)

        by bmxeroh ( 1694004 ) on Friday June 26, 2015 @01:55PM (#49997111) Homepage
        <quote> (Note: While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the &ldquo;Do not attempt&rdquo; section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.).</quote>

        The program details specifically say that. He's an idiot, but we all knew that.
      • These days we talk about brute forcing keys with trillions of possible candidates, this is more like "slight" force rather than brute force.

    • by omems ( 1869410 )
      Sweet. Where/how does one run that script?
      Is it for adblock?
      • In chromium/chrome, you can save the file as "nobennett.user.js" and drag it from your file manager onto the chrome://extensions page; chrome will then give you a popup to ask you to confirm.

        In firefox, you can install it using the Greasemonkey plugin.

        There might be other options for other browsers; this was the first/only user script I've ever written, so I don't know all the tricks.

    • I figured I'd post a link to the script again

      Nice and clean. Thanks.

    • Regardless of whether or not the 'Frequent Contributor' writes anything worth reading (he doesn't; water bottle delivery at a hippy festival ffs?) when /. posts anything written by the venerable Bennett they know two things:

      1. Massive clickbait to sell to advertisers.

      2. Not a single positive comment from their contributors.

      It's a sad situation that I come to this site to read the insights of fellow slashdotters, from whom I have learned a great deal, when my visit is earning money for a set of cynical p

    • by RyoShin ( 610051 )

      I actually thought we were done with him. I was actively checking the names of posts in my RSS feed I thought sounded stupid and didn't see him on any, despite having no script for blocking. Damn.

  • by JJJJust ( 908929 ) <JJJJust@gma i l .com> on Friday June 26, 2015 @11:58AM (#49995919)
    The website explains the brute-forcing thing in a roundabout way... but it does note (emphasis added):

    While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.

    • Re: (Score:1, Redundant)

      by zlives ( 2009072 )

      "we do not allow execution of brute-force attacks on other users"
      he did it to his own account

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Under "DO NOT ATTEMPT" it Clearly states that Brute Force Attacks are not allowed. That's about as clear as they can make it. It's the TOP ITEM under "Don't do this or we will disqualify you and possibly start a criminal investigation"

        Do not attempt:
        Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portal

        • by Orphis ( 1356561 )

          This isn't a BRUTE force attack. This is just a force attack.
          If a server has an issue with 10k requests at night when nobody is using it over a few hours, then they have much bigger problems!

          • by bws111 ( 1216812 )

            Brute force has absolutely nothing to do with what the server can handle, it just means trying every possibility.

          • If a server has an issue with 10k requests at night when nobody is using it over a few hours, then they have much bigger problems!

            It is daytime somewhere on the planet all the time, United flies internationally, and there are good reasons why someone even in the US would use the United web system when it is their local nighttime. Your excuse that it was "at night when nobody is using it" is ridiculous. People use it all the time. The interwebs are international in scope, dude.

            "At night" doesn't mean it wasn't brute force. Brute force, as another has already pointed out, means "trying all combinations", not "there's only 10,000".

            And

            • You can still mitigate brute-forcing by putting a waiting period between attempts. And a PIN with only 10,000 combinations absolutely needs protection. So if they left it unprotected, they should fix it.

    • by Nemyst ( 1383049 )
      Note that it does say "other users", so technically you could quite easily run the test against yourself.
  • . . . are usually crap.

  • "My" (Score:5, Insightful)

    by Anonymous Coward on Friday June 26, 2015 @11:58AM (#49995925)

    If the title of your post starts with "my", and it isn't on Ask Slashdot, you are a douche.

  • by Anonymous Coward on Friday June 26, 2015 @12:05PM (#49995993)

    Bugs that are eligible for submission:
    The ability to brute-force reservations, MileagePlus numbers, PINs or passwords (Note: While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.)

    Do not attempt:
    Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.

    Brute-force attacks

    So... It looks like you didn't follow the rules & tested a brute force attack. That straight away says that they will most likely ( and with valid reasoning ) disqualify you from the program. Since you used your account only, they will likely not prosecute. You still broke the rules and will probably not get anything except kicked out.

    • Yeah, he interpreted it as forbidding brute-force testing against other users, but allowing brute-force against one's own account when it's clear that it actually means "don't test brute-force attacks at all"

      Frequent Contributor Bennet Haselton is coming across as a bit "Autistic spectrum-y" in this story.

      • by Yebyen ( 59663 )

        >> (Note: While we accept bug reports on the ability to conduct brute-force attacks...
        > when it's clear that it actually means "don't test brute-force attacks at all"

        I hate Bennet Haselton as much as the next man, but you are actually wrong according to GP's quote from the rules.

        • I hate Bennet Haselton as much as the next man, but you are actually wrong according to GP's quote from the rules.

          He is actually right, according to GPs quote from the rules.

          Do not attempt: ... Brute-force attacks.

          He attempted a brute-force attack. From the fine summary:

          If the site doesn't limit your number of guesses, you can write a script that iterates through all 10,000 possibilities for the PIN until it finds the right one. I wrote a script that did exactly that, ..."

          So our fine author admitted he did what the rules prohibited. The rules appear quite clear: they will accept reports of how a brute-force attack c

      • Yeah, he interpreted it as forbidding brute-force testing against other users

        That's right, since it said "we do not allow execution of brute-force attacks on other users"

      • You seem to have accidentally hit the "coming across as a bit " key on your keyboard, the "-y" key, and the " in this story" key.

        Your keyboard looks mighty strange from over here.

    • by Ichijo ( 607641 ) on Friday June 26, 2015 @12:53PM (#49996501) Journal
      Serious question: how could someone determine that PINs can be brute-forced without brute forcing them? Without the ability to prove it, it's the bounty hunter's word against the website, and we already know websites will do anything they can to avoid paying [slashdot.org].
      • Try 10 times and assume that there isn't a cap after that. Much easier on the servers than 9999 password reset attempts.

        This is a huge security vulnerability and they should patch it. But he also blatantly broke the rules.

        • by Ichijo ( 607641 )

          Try 10 times and assume that there isn't a cap after that... But he also blatantly broke the rules.

          Please provide pseudocode that determines whether he used brute-force. Be sure to fully justify, with citations where possible, any violation of the zero-one-infinity rule [wikipedia.org] in your answer. For example, why 10 attempts? Why not 9, or 11?

          If you can do this, then your claim that he "blatantly" broke the rules might be valid. Good luck!

      • by AmiMoJo ( 196126 )

        You have to give them the benefit if the doubt. If they refuse to pay up you go public with your complaint and maybe threaten legal action. In the UK you can use the small claims system that only costs about $50, no lawyer needed.

        And next time you sell the vulnerably on the open market, as does everyone else who read your warning.

    • So really, they are doing him a favor by ignoring him.

      If they acknowledge it, they have to kill his account and possibly report him to the authorities.

  • I tried... (Score:5, Funny)

    by bogie ( 31020 ) on Friday June 26, 2015 @12:09PM (#49996045) Journal

    But they said there was now a $50 service fee in order for me to submit my bug. They said something about how fuel prices had gone up and they had no choice but to start charging the fee.

  • by SeaFox ( 739806 ) on Friday June 26, 2015 @12:15PM (#49996111)

    If your bug submission was anything like your Slashdot submissions, their eyes glazed over after the first three paragraphs and they didn't even read the other eight pages where you actually explained the hack.

  • by Anonymous Coward

    http://www.united.com/web/en-US/content/contact/bugbounty.aspx#terms

    Do not attempt:

    Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation[!!1!]. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.

    Brute-force attacks
    Code injection on live systems
    Disruption or denial-of-service attacks
    The compromise or testing of MileagePlus accounts that are not your own
    Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
    Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
    Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
    Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact or Nessus)

    Please, please, please, let it happen!

  • "Hi. You haven't acknowledged my findings yet. I think I have demonstrated that I've met the requirements of your "bounty". You can of course disagree, and that's fine. There are others who want to buy my work. Should I not hear back from you in the next 14 days, I will do business with them."

    • While this shouldn't be on Slashdot (in this format, AKA personal blog post), Bennett's actions are better than trying to coerce them.

      Forbidden as per their terms:

      Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers

    • He can't sell that exploit. He's already given it away. Here.

      Please tell me about the other amazing business strategies you're contemplating. Your ideas are intriguing to me and I wish to subscribe to your newsletter.

    • Quick trip to a federal court for extortion.

  • by Anonymous Coward

    Had you read the rules, you might have noticed:

    Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation: Brute-force attacks

  • After not hearing from bennett for so long, I thought slashdot had finally come to it's senses and shit-canned that ass wipe. I guess I'm the ass wipe instead.
  • Since Mr Hennet Baselton is a blogger, maybe he should write a post about it. Perhaps it will go viral just like this musician's songs about United breaking guitars [wikipedia.org]. Not.

    Jokes aside, I have some friends that are travel agents, and they all seem to shy away from letting their clients fly United.

  • by Anonymous Coward

    No surprises to be found; Bennett chooses a literal interpretation of something to further his own agenda, and disregards the rule saying "If you find a brute force attack, do not attempt it, it is immediate disqualification."

    I wish Bennett was as smart as he thinks he is and found something noteworthy enough to be sued for exploiting, but the only hack here is him.

  • To be completely honest I enjoy having an occasional Bennett Haselton submission. (And a quick search through slashdot, they are occasional). I learn a little thing and I think a moderate amount. Which is exactly what I come to slashdot for. If you do ever quit submitting to slashdot I may actually look to see if you have a blog.

    I always hate when companies have such glaring security flaws and refuse to do anything about it. They deserve what comes to them I guess...

  • [shrugs] you could just resubmit it and show the possibility for a brute force without actually admitting that you broke the rules in testing the possibility...

  • by NotDrWho ( 3543773 ) on Friday June 26, 2015 @12:37PM (#49996321)

    * Meaning 0 - 1 million air miles

  • Something you may not realize if you're not a frequent flyer is that FF miles cost the airline almost nothing since they don't open up additional rewards inventory to match. That is, United could give Bennett a million miles (equivalent to about 40 domestic cheap roundtrips, or several international business or first class trips) by merely changing numbers in their database. They don't actually incur any significant expense because they open the same amount of rewards inventory (seats that can be purchase

    • Yes, it's easy to just grant FQTV miles arbitrarily, but airlines do somewhat treat them like currency. Also, the old-school domestic airlines (AA, UA, DL, hey, are there really only 3 left???) rely heavily on business travelers so it's in their best interest to not water down their programs. But you are right - unless they specifically block out inventory, they won't lose money, especially for a one-off bug bounty payment.

      Look at FlyerTalk forums sometime. All those consultants working for the Big 4, or tr

    • Most United Frequent Flyer awards though aren't claimed though. Except for really popular routes at popular times you can get a Saver Frequent Flyer ticket almost anywhere. Your assertion assumes that Award tickets are always completely filled. Especially considering that most Airlines can now sell out entire flights most of the time that means they are missing out on some revenue.

      Frequent flyer programs do cost money but they also do make a lot of money too. Both through Credit Card fees and because

  • by Virtucon ( 127420 ) on Friday June 26, 2015 @12:47PM (#49996419)

    That's like 10 years in Leavenworth.

  • by Overzeetop ( 214511 ) on Friday June 26, 2015 @12:48PM (#49996449) Journal

    Good News - you've got a million frequent flyer miles!
    Bad News - you have to fly United.

  • Haven't tried United recently, but websites where they ask you for a US phone number and then complain that you entered dashes, spaces, etc. really piss me off. A US phone number is 10 digit. If you ignore everything that isn't a digit and end up with 10 digits (or it starts with a 1 and you have eleven) then it's a freaking phone number.

    Credit card numbers ditto.

    Reservation number. If the first character is a space (as it often is after a copy/paste from e-mail) then ignore it and take the rest
  • by bobbied ( 2522392 ) on Friday June 26, 2015 @12:51PM (#49996479)

    One of the terms here is that your submission "MUST BE THE FIRST" that specifies the successful attack...

    If you don't know for sure yours was the first (and there is no way you can) it's up to United to respond or not and pony up with the miles or not. So you did all that work, proved the attack works, but you don't really know if United hasn't already validated somebody else's submission for this and paid THEM the miles you think they owe you.

    Then there is the whole, how do you know they actually received it vector....

    Look, you are unlikely to get anything out of United on this. Stop wining about it and move on.

    • by AmiMoJo ( 196126 )

      Any reasonable bug bounty programme should pay out if you report a bug while it's live. It's only fair, especially if the goal is to stop bugs being sold as zero day.

  • Didn't you whine a lot before about how spam filters always weed out your inane drivel?
  • I'd be more concerned that you can use first name, last name and phone number. Your example takes 10000 PIN attempts with a given first and last name, where you could script it to go through a phone book and have legitimate combinations of the 3. The same goes for email. And on that note, the article just says success indicates if the account exists....I don't see anything about actually being able to reset your own password using this method.
  • And more meh.
  • I hope Bennett gets his million free air miles so that he'll spend more time traveling and less time writing Slashdot submissions!

    • They promise "up to" one million free miles...

      0 = 1000000 therefore they are living up to their promise... technically....

  • Keep the option to retrieve your account number by submitting your password, since even weak passwords are far harder to guess than 4-digit PIN numbers.

    I don't think that's a reasonable assumption to make, particularly if you don't care about which account you get access to. Instead of guessing a lot of passwords for a single user, you can guess a small number of passwords for a lot of users. This also gets around any limits regarding access for a single account, as has been suggested as a solution. Getting multiple boxes to carry out this operation gets around limits regarding account access from a single IP address.

    If you choose a sufficiently common wea

  • This is a designed-to-be vulnerable (by idiots, but still) thing. They only pay for unintentional vulnerabilities.

  • 0 is = 1000000 so they are living up to their word, unfortunately.

    • hmm make that "less than or equal to"
      I forgot /. requires & l t ; (the html code for the left angle bracket)

      trying again...

      0 is <= 1000000 so they are living up to their word, unfortunately.

  • The headline begins with "My" and the submitter is...

  • Oh how I missed you. Hey a suggestion for the future: You should host your blog at medium.com and just link every Slashdot story to it. The resulting singularity may be able to be harnessed for clean energy. Dice would be on board if they can put a billboard up next to it.

  • Bennett Haselton, that's your first and last name, right ? .....
  • but did Apple require all new iDevices running iOS 9 to have minimum of 6 digit PINs for this reason? (brute force attacks)

Single tasking: Just Say No.

Working...