Flying has never been more convenient for customers. The security checks might be a drag, but sometimes all it takes to check in online is punching in a few digits into a mobile app.
But that may be just a little too convenient. A cybersecurity company has discovered that it's possible to obtain the personal and flight information of United Airlines MileagePlus customers through the company's app.
"An attacker can get access to personal details such as email, phone number, flight details (origin, destination, date, time, seat) and even the boarding pass," Yosi Dahan, co-founder and CEO of Turrisio Cybersecurity, told Motherboard in an email.
When logging into the United Airlines app to check in, a customer can either enter their booking confirmation code or MileagePlus ID and doesn't need to give any other information, such as a password. MileagePlus is United Airline's frequent flyer program. If the user's flight is within 24 hours, their information will be displayed on the app.
MileagePlus IDs are very basic: they come in the format of two letters, followed by six digits. So instead of having to find out the ID of a particular customer, Dahan wrote a simple Python proof-of-concept script that could allow an attacker to grind through the possible combinations of IDs and automatically check if any flights were booked with them.
There is no indication that the app has actually been abused by criminals. But Dahan, who has previously written about the MileagePlus app security, envisioned that it could be possible to launch a social engineering attack with information gleaned this way. He suggested, for instance, that an attacker could call a victim and present them with information that only United Airlines should know, then scam them into handing over credit card details.
"This is the same type of vulnerability that weev [Andrew Auernheimer] was incarcerated over and yet as a penetration tester I have seen this type of vulnerability a lot," Justin Seitz, author of two Python hacking books, said in an email. "Numerous mobile APIs that were never designed to see the light of day can be mined for information using 10 line Python scripts like you see in that proof of concept."
United Airlines downplayed the significance of the discovery, which Dahan reported through the company's bug bounty program less than 24 hours ago. "What Mr. Dahan incorrectly calls a bug is in fact the intended behavior of our mobile app, which we designed to make the flight check-in process as simple as possible to accommodate the broadest number of customers," a spokesperson told Motherboard in an email. "While we continuously assess and enhance our security procedures, we have extensive programs in place to protect our customers and their personal information."