ANZEIGE
Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform
Es geht los mit
Es geht los mit
und wird noch deutlich bunter.Our first report was an unauthenticated HTTP path traversal allowing access to an internal API which would’ve allowed an attacker to query entries from a set of 22 million order records. The data within the records included partial credit card numbers, home addresses, email addresses, phone numbers, reward points numbers, customer authorization tokens, and miscellaneous transaction details. This information could be queried through an API call that returned one-hundred results per HTTP request. By appending optional sorting parameters, an attacker could enumerate the data or query for specific information (e.g. searching a customer's name or email address).