United Airlines first made headlines with its bug bounty program in May of this year. As Graham Cluley noted on Tripwire’s The State of Security blog, the program rewards researchers with flight miles and offers one million United awards miles for the most serious of vulnerabilities.
But that apparently didn’t happen for researcher Randy Westergren.
As outlined in a post he published on his website, Westergren first discovered the bug in United’s mobile app while proxying his requests under his newly created MileagePlus account. One request turned up an “mpNumber” parameter that particularly grabbed his interest.
“Since the user is already authenticated and cookies are presumably being used to track session state, this parameter looked like an IDOR vulnerability,” Westergren explains.
To test the vulnerability, Westergren ran the same dubious request using the number from a MileagePlus test account he created. This experiment yielded “a lot” of information under a “recordLocator” paraemeter. It also exposed the customer’s last name.
“Using just these two values, an attacker could completely manage any aspect of a flight reservation using United’s website,” Westergren observes. “This includes access to all of the flight’s departures, arrivals, the reservation payment receipt (payment method and last 4 of CC), personal information about passengers (phone numbers, emergency contacts), and the ability to change/cancel the flight.”
That’s not all. Further investigation revealed that the same response could expose Club Pass customers’ email addresses and barcode values, as explained by Computerworld.
Westergren initially submitted his report on the vulnerability to United’s security team on May 27, 2015. After months of sending follow-ups to the airline, all of which revealed that his submission was still “in queue”, Westergren tweeted United earlier this month and announced that he would go public with the vulnerability on November 28th.
Hey @united, 6 months for a critical vuln is beyond reasonable. Public disclosure is planned for 11/28.
— Randy Westergren (@RandyWestergren) November 5, 2015
Under the company’s bug bounty guidelines, anyone who publically discloses a vulnerability automatically disqualifies themselves from the program and by extension from receiving any award. But Westergren took that risk anyway. It is his belief that the media attention his tweet helped generate ultimately led United to patch the bug on November 14th.
As Security Week reports, the airline has since provided the following statement:
“The protection of our customers’ information is one of our top priorities, and we have extensive security measures in place to safeguard their personal data. We have addressed this issue and are confident that our systems are secure. We remain vigilant in protecting against unauthorized access and will continue to use best-practices on cyber-security to maintain our effectiveness.”
United is not the only company whose bug bounty program has disappointed researchers in recent months.
As I wrote back in September, researcher Julian Ahrens went public with a buffer overflow vulnerability in Yahoo! Messenger after the company refused to fix the issue. A follow-up statement from the company explained that Yahoo! arrived at this decision because the vulnerability was found to be of low severity and because Messenger was deemed end of life (EOL).
Westergrens is right to say that while bug bounty programs are useful, they must be run effectively to have any real impact.
Like any relationship, a bug bounty program is a two-way street. Under this arrangement, researchers do their work and abide by responsible disclosure policies, and companies acknowledge their effort by quickly patching any bugs and by rewarding researchers, when appropriate. It would seem that United might not have lived up to its side of the bargain in this situation.
Going forward, companies such as United must keep in mind that bug bounty programs will succeed only as a result of productive collaboration with researchers. That does not include patching bugs only after media reports motivate it to do so.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.