A security researcher found and reported a critical vulnerability to United Airlines that could allow an attacker to “completely manage any aspect of a flight reservation using United’s website.” He claims United Airlines, which announced a bug bounty program about six months ago, didn’t deploy a fix for five months and only plugged the holes after he threatened to publicly disclose the unpatched vulnerability.
United Airlines launched its bug bounty program last May, promising to hand out loyalty miles instead of cash for finding flaws; United’s in-flight systems were off limits as the company did not want researchers hunting for bugs in its Wi-Fi, entertainment systems or avionics. The program received a lot of press as it followed security researcher Chris Roberts joking tweet about live-testing United 737/800 aircraft systems; it also followed as a U.S. Government Accountability Office report (pdf) which warned that aircraft avionics systems could be at risk due to Internet connectivity.
He created a MileagePlus account when he started looking at United Airlines’ mobile app. During his research, he found that information exposed included a customer’s last name and “recordLocator.” Westergren wrote:
“Using just these two values, an attacker could completely manage any aspect of a flight reservation using United’s website. This includes access to all of the flight’s departures, arrivals, the reservation payment receipt (payment method and last 4 of CC), personal information about passengers (phone numbers, emergency contacts), and the ability to change/cancel the flight.”
But that wasn’t all; Club Passes were also exposed. After showing a snippet of code, Westergren wrote:
“Note that the customer’s email address is exposed, as well as the barcode value. This means an attacker could likely gain access to the United Club by spoofing another customer’s barcode value at the entrance, essentially stealing his purchased pass.”
Although he submitted his report on the bug to United’s security team on May 27, he knew the team was probably swamped since it had launched a bug bounty program and expected a delayed response. He didn’t, however, expect no patch to be deployed for over five months.
Initially United replied in June, claiming the bug was a duplicate. When Westergren asked for an estimated patch date, United’s security team replied that only the original submitter of vulnerability would be told. He sent an email on Nov. 5, the same day Westergren tweeted: “Hey @united, 6 months for a critical vuln is beyond reasonable. Public disclosure is planned for 11/28.”
United Airlines responded then on Nov. 6 as Westergren noted:
One of the terms is that public disclosure (of any kind) will result in permanent disqualification from their program and loss of any reward; indeed I was reminded of this by United’s team when I informed them of my intention to go full disclosure. Since I was not to receive an award regardless, and I didn’t have further interest in submitting to the program, I accepted the threat of disqualification.
On Nov. 12, Westergren talked to a media contact whom, on Nov. 13, asked United Airlines to comment on the situation before running with the news on Nov. 14. The critical vulnerability was patched on Nov. 14.
Bug bounty programs are important for creating better security, but Westergren added, “Running one effectively is critical.” Although his “intention to publicly disclose the vulnerability appears to have pressured United to fix it,” he suspects “that the request for comment by media personnel ultimately forced them to take the necessary action.”