Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
The personal and payment details of 22 million passengers were patiently waiting for their kidnapper.
Travel reward programs, such as those often offered by airlines and hotels, often advertise the various benefits of joining their rewards program rather than any other in the same industry. However, the digital infrastructure for many of these rewards programs, including the internationally popular Delta SkyMiles, United MileagePlus, Hilton Honors, Marriott Bonvoy and Virgin Red, is built on the same platform, with all the back end coming from Points.
Recently, cybersecurity researchers Ian Carroll, Shubham Shah and Sam Curry discovered quite critical vulnerabilities in the Points.com infrastructure API that attackers, if desired, could use to steal the data of 22 million customers, steal the so-called "bonus miles" (in-service reward currency) and even gaining full control over loyalty programs.
The key findings of the researchers include the ability to obtain user authorization tokens, access orders in the system (with addresses and credit card numbers), and hack global administrative accounts due to weak encryption. According to one of the specialists, it is the centralized nature of Points.com and the use of this platform by many large companies that makes it an extremely attractive target for hacking.
One of the vulnerabilities discovered allowed cyber-thugs to move between sections of the Points API infrastructure and gain access to loyalty program order data. The system contained 22 million such orders with addresses, phone numbers, e-mail and partial bank card numbers of customers.
Although Points.com limited the amount of data returned per request, the researchers note that with due patience and free time, hackers could very well collect the necessary information about specific people or gradually pump out the entire storage.
Another problem was that due to incorrect API configuration, attackers could generate an authorization token on behalf of any user, knowing only his last name and loyalty program number. Such data can be obtained both from leaks and using the first vulnerability described above. Having received someone else's token, cybercriminals could transfer bonus miles or points to their own accounts, resetting the victims' balance to zero.
The hole in the global administration site Points.com turned out to be the most dangerous. The user cookies there were encrypted with a weak key that was easy to guess. This would allow hackers to gain administrator privileges for the entire system.
Points.com quickly responded to the research conducted by security experts and quickly eliminated all vulnerabilities. According to the company, there were no signs of malicious use of data, which means the specialists were in time.
The researchers hope that their work will help other companies responsible for a large amount of data and systems at once, better assess their cybersecurity risks and implement the necessary protection measures in a timely manner.
Travel reward programs, such as those often offered by airlines and hotels, often advertise the various benefits of joining their rewards program rather than any other in the same industry. However, the digital infrastructure for many of these rewards programs, including the internationally popular Delta SkyMiles, United MileagePlus, Hilton Honors, Marriott Bonvoy and Virgin Red, is built on the same platform, with all the back end coming from Points.
Recently, cybersecurity researchers Ian Carroll, Shubham Shah and Sam Curry discovered quite critical vulnerabilities in the Points.com infrastructure API that attackers, if desired, could use to steal the data of 22 million customers, steal the so-called "bonus miles" (in-service reward currency) and even gaining full control over loyalty programs.
The key findings of the researchers include the ability to obtain user authorization tokens, access orders in the system (with addresses and credit card numbers), and hack global administrative accounts due to weak encryption. According to one of the specialists, it is the centralized nature of Points.com and the use of this platform by many large companies that makes it an extremely attractive target for hacking.
One of the vulnerabilities discovered allowed cyber-thugs to move between sections of the Points API infrastructure and gain access to loyalty program order data. The system contained 22 million such orders with addresses, phone numbers, e-mail and partial bank card numbers of customers.
Although Points.com limited the amount of data returned per request, the researchers note that with due patience and free time, hackers could very well collect the necessary information about specific people or gradually pump out the entire storage.
Another problem was that due to incorrect API configuration, attackers could generate an authorization token on behalf of any user, knowing only his last name and loyalty program number. Such data can be obtained both from leaks and using the first vulnerability described above. Having received someone else's token, cybercriminals could transfer bonus miles or points to their own accounts, resetting the victims' balance to zero.
The hole in the global administration site Points.com turned out to be the most dangerous. The user cookies there were encrypted with a weak key that was easy to guess. This would allow hackers to gain administrator privileges for the entire system.
Points.com quickly responded to the research conducted by security experts and quickly eliminated all vulnerabilities. According to the company, there were no signs of malicious use of data, which means the specialists were in time.
The researchers hope that their work will help other companies responsible for a large amount of data and systems at once, better assess their cybersecurity risks and implement the necessary protection measures in a timely manner.
