Nature of bug
It is possible to extract personally identifiable information and modify passengers’ flight reservations without their permission.
Potential bug eligibility categories:
- Potential for information disclosure
- The ability to enumerate reservations, MileagePlus numbers
- Authentication bypass
- Bugs in third-party assets loaded by United-operated, customer-facing applications
Potential bug severity categories:
- Brute-force attacks (MEDIUM)
- Potential for personally identifiable information (PII) disclosure (MEDIUM)
Steps required
- Call the customer support number, talk to computer
- “Find flight details”
- From any Asian city (example: PVG)
- Typical Asian last name (example: LIU)
- First name: pick a letter (example: A)
Repeat step #5 for 26 times using each different letter of the alphabet.
Now you have a random passenger’s confirmation number and can cancel their ticket. Or you can can pull up their flight details and ticket confirmation which includes their full name and other information.
Tools used to discover bug
iPhone 7, Rose Gold color
Test date
Approximately August 24th.
Discoluser schedule
- 2018-08-24: Discovery
- 2018-08-26: Disclosure to vendor
- 2018-10-02: Vendor claims not eligible for bug bounty payment (I disagree)
- 2018-10-04: Warn vendor of public disclosure in +3 weeks
- 2018-11-20: Public disclosure
The vendor did not request an extension of the 3-week disclosure schedule. Nor did the vendor deploy a fix or provide any information about a forthcoming fix. This vulnerability is live and exploitable today.
▧
Comments
There are no comments yet.
Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.