

United declares 4-digit pin login and lack of SSL “functioning as designed” - sethvargo
https://twitter.com/sethvargo/status/617873824344702976

======
curryhoward
> That means the attack surface for accessing someone's account is NP hard,
> but N is always equal to 4.

FYI, the "N" in "NP hard" is not a number. It stands for nondeterministic. The
mention of "NP hard" in the first place just seems...unnecessary.

~~~
blintzing
Is he perhaps joking? Even a brief read of the Wikipedia article makes it
clear that NP-hard isn't a mathematical expression in which 'N' stands for a
number...

~~~
UnoriginalGuy
He could be in the tweet (giving the benefit of the doubt), but there's no way
he is in the email reading it in context.

------
eastbayjake
It's not a bug _for the purposes of a bug bounty program_ because logging in
with a 4-digit pin is the actual design, not an unintended flaw in
implementation

------
akerl_
Title seems quite linkbaity. In a 4digit PIN-based system, being able to log
in with a 4 digit PIN isn't a vuln, it's how the system works.

They even state up-front that improvements to the system are in the works.

~~~
nhf
Agreed. However, United still has very glaring security issues with their site
that go far beyond the 4 digit PIN. I can't provide concrete details because I
still have a pending bug bounty report, but stuff along the lines of
bad/missing HTTPS and easy hijacking of account management sessions.

------
deftnerd
Also, when you factor in the human tendency to pick very easily guessed PIN
codes, it's laughably easy. [1] 11% are "1234"

Also, when you log into the United website, you can transfer airline miles.
True, once someone complains about their miles disappearing, United might pull
them back and ban the receiving account, but it might take a while.

It would be trivially easy to steal lots of airline miles into one hacked
account and then sell them onto other people on the open market. When United
takes them back, the buyers will be without recourse.

[1]
[http://www.datagenetics.com/blog/september32012/index.html](http://www.datagenetics.com/blog/september32012/index.html)

~~~
nadams
> Also, when you log into the United website, you can transfer airline miles.
> True, once someone complains about their miles disappearing, United might
> pull them back and ban the receiving account, but it might take a while.

Put that into context - there are several groups of people:

A - those who are accruing miles who don't know/care

B - those who accrue miles but only use them/care when they are going
somewhere in which they want to redeem them (ie vacation)

C - those who check their accounts daily

I would argue the vast majority of United's customers fall into A or B. Which
means that by the time the customer figures out what happened - the miles will
be long gone. And I'm sure United's response will be "sorry can't do
anything".

> When United takes them back, the buyers will be without recourse.

That is assuming they are even willing or the miles haven't been redeemed
already.

Playing devil's advocate this isn't United's fault really - what is the
balance between security and ease of use? From a business stand point you want
the service as easy as possible to use so people give you money. The average
person doesn't want to deal with email verification, complex passwords, or one
time passwords - they just want to enter their credit card number and buy the
ticket. Though, I'm sure United is making enough to lose a few customers...but
it's all about money.

------
NeutronBoy
Well, is that how it's supposed to be functioning?

The tweet says it's a security vulnerability, their response says it's
functioning as designed. Not mutually exclusive.

