
United Airlines Bug Bounty: An experience in reporting a serious vulnerability - rwestergren
http://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability/
======
eyeareque
If you've participated in their program, you'll probably find that they have
their fair share of issues. This is probably where their delay is coming from
(but not a valid excuse). I found two serious problems in less than a hour. I
reported the issues to them and was subsequently told that both submissions
were out of scope and a firm warning to follow the rules. You're welcome for
the free findings.

~~~
manigandham
It's pretty ridiculous that actual problems are "out of scope".

~~~
debaserab2
Maybe it is, but given that the original commentor did not describe what the
problems were, we have no idea as to their severity.

------
jacquesm
Interesting terms, if you can't talk about it afterwards how do people know
that any of these bounties were paid out? After all there is a pretty simple
loophole here: mark any and all reports as duplicates, no need to pay out.

~~~
ssclafani
You can't talk about the details of the bug but you can talk about the reward:
[https://twitter.com/Stephen/status/627190837735239680](https://twitter.com/Stephen/status/627190837735239680)
The program is legit, they are just very slow (I didn't actually receive the
miles until October).

------
cm2187
The author is being nice calling it a bug. A buffer overflow is a bug. This is
a moronic design, like a sql vulnerability. I am shocked that in these days
and age, so many web developers have not adopted the mentality "everything
coming back from the client may and will ultimately be tainted". Relying on an
ID provided by the client without checking the appropriate access is
unexcusable. How many years ago was the Dell shopping cart bug (where a client
could alter the price of an order)?

~~~
buro9
It's frequently scarier than that. I've seen applications do the right thing
by IDs and queries, but then attempt to audit access and not correctly escape
or sanitise HTTP headers.

Literally, every single piece of information that an application receives is
not to be trusted. Even if it's something you think you have set and have full
control of (a cookie value), you're wrong... you have no control, and
attackers can and will manipulate every field or property to gain a foothold.

~~~
buro9
Actually, case in point... X-Forwarded-For. This is not in a spec, people are
using it as an unofficial standard. But so long as your edge removes it and
then sets it... you're good.

Except Google are doing their page speed optimisation thing in the style of
the Opera Mini proxy, but for Chrome users on Android. Google have chosen to
populate X-Forwarded-For, so any website that wants to audit the IP address of
an end user now has to read this untrusted header.

So devs will realise this, look at the header, stop stripping it at the edge,
and start trusting what is essentially a string that anyone can set.

~~~
xena
I like the way IRC networks handle this, they use a pre-connection protocol
verb called WEBIRC (de-facto standard documented here:
[http://git.io/vBLYp](http://git.io/vBLYp)) that also enforces a whitelist of
ip address + password combination. This stops most abuse of this feature.
Maybe HTTP servers should have something similar.

------
ryandrake
Is six months really unreasonable for a big bloated bureaucracy like United
Airlines? I've worked on projects for smaller tech companies with release
cycles longer than that. Not defending--obviously they should be set up to be
able to put out small emergency fixes quickly especially if they're running a
bug bounty. But, hey, it's an airline: releasing software is not exactly their
bread and butter.

~~~
halviti
Let's rephrase your question: "Is six months really unreasonable for an
airline to fix a vulnerability that allows customer data to be stolen?"

Yes, I would say so.. especially since this is a 'duplicate' meaning that
multiple people were already aware of this, and on top of that it seems the
only reason it was eventually fixed was because they couldn't delay fixing the
problem any more.

I don't think anyone would consider this reasonable.

~~~
protomyth
Which makes you wonder if person #3 or higher submitting this bug couldn't
sell it since they are not getting a bounty. Six months is a long time to leak
customer information.

~~~
crpatino
If 3 different whitehats found the same bug independently, it's fairly sure
bet that a number of blackhats are already exploiting it.

------
jcdavis
I reported 2 admittedly minor web security bugs to them several months back
that surprisingly I was apparently the first to report, but still haven't
heard back about either.

------
MrQuincle
Mine was a duplicate as well. Anyone here who was paid out?

~~~
dsacco
Yes.

------
jsjohnst
If you know the PNR of an itinerary and the person's last name you can quite
easily do most of what was described in this article via United's website or
over the phone. Always makes me laugh when I see folks posting full images of
their plane tickets online, they so easily could have their travel plans
screwed. :(

~~~
MichaelGG
Yeah at one point their app endpoints returned full pnr and last names, then
truncated for display. I always thought it'd have been fun to exploit it to
bump yourself up on the upgrade list by changing the flights of those in front
of you.

------
swang
Just checked this using mitmproxy. My United MileagePlus Account is definitely
there.

Also, you need a valid MP#, and the # is not sequential (nor all numbers).

At least they're using https.

Edit: Also annoying the app keeps making calls to Gogo wifi and some other
Wifi page.

Edit2: I just realized United _did_ fix it. Thought it said they refused to
fix it.

------
erikb
It's so funny to see how surprised people are about the "corp" IT compared to
the "free" IT world. Once I was also surprised about how long it takes and
that very important things can be out of scope.

I think the reason is that in fact in teams >10 people nobody really knows
what's going on. That anything happens is more the result of many attempts and
some luck. That nothing succeeds is the default.

Think of it more as "Twitch Programs Flight Ticketmanager App" than actual
software development as you read it in a book. (I once worked with >5 other
guys on getting a string in one computer pointing to another computer, took
the whole week)

------
blantonl
How was this vulnerability able to be exposed in the first place if the API is
communicating over SSL?

~~~
peterkelly
You can intercept your own SSL communications if you create your own
certificate authority and add it to the list of trusted CAs on your device.
You can then use this to generate SSL certificates for arbitrary domains, and
by proxying traffic through your own machine you can grab the plaintext by
impersonating the real site. Of course this will only work for devices you
have added your CA to; you won't be able to intercept just anyone's traffic.

There's an app for OS X called Charles, which automates this process for you,
acting as a proxy and generating the fake certificates on-demand. See
[https://www.charlesproxy.com/documentation/using-
charles/ssl...](https://www.charlesproxy.com/documentation/using-charles/ssl-
certificates/)

~~~
joshmn
> There's an app for OS X called Charles, which automates this process for
> you, acting as a proxy and generating the fake certificates on-demand.

It's a bit more difficult than just loading up an MITM and generating the
certs; if they've pinned (which they have), you have to go a _bit_ deeper than
_just_ using an MITM proxy.

------
thedogeye
Have you participated in a bug bounty program on Hacker One? We are running
one there now.

------
phphphph
> Using just these two values, an attacker could completely manage any aspect
> of a flight reservation using United’s website.

Don't most airline websites allow that when you get the last name and date of
departure right?

~~~
fphilipe
Yes. But the point is that he was able to gain these two bits of information.

------
vezzy-fnord
Classic case of confused deputies caused by ambient authority. Wonder if we'll
ever outlive these kinds of bugs.

