United Airlines takes 6 months to patch severe security flaws

The fanfare surrounding the airline's new bug bounty seems somewhat pointless, now.

United Airlines has taken six months and the threat of public exposure to patch a severe security flaw which allows attackers to compromise flight books and reservations.

The US airline launched a bug bounty program in May this year in response to the rising threat of cyberattacks. The news was met with approval from many quarters as a symbol that companies with responsibility for customer safety were beginning to take security a little more seriously.

Through the program, United offers air miles as a reward to researchers who submit vulnerabilities which could damage customer or company data. Almost immediately, one researcher was awarded one million air miles for reporting the existence of a severe remote code execution (RCE) flaw.

The bug bounty program appeared to get off to a good start. However, according to researcher Randy Westergren, delays in patching serious problems submitted through the bug bounty are unacceptable and it took the threat of public disclosure to get anywhere.

In a blog post this week, Westergren said he identified a serious vulnerability hidden within an API endpoint which exposed the personally identifiable information (PII) of Rewards members.

Unfortunately, United's team has taken just under six months to fix the problem.

During testing, Westergren created a MileagePlus account and launched the airline's mobile app to log in. The researcher found a vulnerability related to insecure direct object references which gave him the chance to tweak code, submit a MileagePlus number from a test account and, therefore, expose all of the PII data associated with the account.

"This includes access to all of the flight's departures, arrivals, the reservation payment receipt (payment method and last 4 of CC), personal information about passengers (phone numbers, emergency contacts), and the ability to change/cancel the flight," the researcher noted.

As the customer's email address and barcode values on reservations are exposed, an attacker could spoof these details at the entrance to the mobile portal, essentially stealing such purchases.

The vulnerability was initially submitted in May, although Westergren was not the only researcher to submit the flaw. After several months of communication and follow ups, the researcher informed the US airline of his plans to go public later this month via both tweet and email.


The vulnerability was patched on 14 November.

Whether researchers should wield the threat of going public to push vendors to fix security issues more quickly or not is debatable, but for many, six months is simply too long to patch a severe issue which could harm customers.

"Just like bounty programs have terms, I think we have to strike a balance as researchers with our own terms," Westergren said. "I believe six months is more than a fair deadline for something so serious and easily patched. Alternatively, if researchers wait forever and don't pressure vendors, we'll likely end up in a worse scenario."

Read on: Top picks