About six months ago, United Airlines launched its bug bounty program. Find and report a security bug anywhere within the airline's websites, apps, or other online portals, and, assuming a few simple conditions are met, you will be rewarded handsomely in frequent flier miles. This has paid out big time at least once: last July, a security pro in Florida found a bug worth a million miles, though part of the deal is that he can't publicly say what the bug actually was. Based on the bounty, we can assume it was a pretty big deal.
In the weeks following the bounty program's launch, a security researcher named Randy Westergren found what he thought was a big deal bug. After chewing through a series of API requests sent to and from the United system as he made a test reservation, Westergren came across an information leak known as a Insecure Direct Object Reference (IDOR). Essentially, this is where it becomes possible to access some aspect of a system directly (a database or whatever) rather than going through all of the login/validation procedures. By modifying, say, a parameter within a URL query string (the junk after the question mark), a hacker might skip the whole authentication process.
Here, the system was offering both the customer's last name and a "recordLocator" variable. "Using just these two values, an attacker could completely manage any aspect of a flight reservation using United's website," Westergren wrote in a blog post published Sunday. "This includes access to all of the flight's departures, arrivals, the reservation payment receipt (payment method and last 4 of CC), personal information about passengers (phone numbers, emergency contacts), and the ability to change/cancel the flight."
That's obviously bad news. So, Westergren prepared and submitted a report to United. And waited.
"Since I understood they were probably overwhelmed with the number of vulnerability submissions, I expected a delayed acknowledgment /response," Westergren said. "I didn't expect, however, for the issue to remain unpatched five months later. In fact, believing that six months was a more than reasonable time frame to get the issue patched (likely a one-line fix), I ultimately had to inform them of my intention to publicly disclose the unpatched vulnerability on November 28 (six months after my original submission). This gave them a few more weeks to get it patched, hopefully avoiding public disclosure."
On November 14, United finally responded to Westergren that the vulnerability had been patched. He tested it and is satisfied with the fix.
He did not, however, get a payout. His report was marked as a duplicate, indicating that someone had beat him to it. Westergren doesn't seem put out by that so much as by the long delay in getting a patch out. Bug bounties are a cool idea, but they only work if someone's actually fixing the bugs.
Reached by phone on Monday, United spokesperson Luke Punzenberger offered the following statement: "The protection of our customers' information is one of our top priorities, and we have extensive security measures in place to safeguard their personal data. We have addressed this issue and are confident that our systems are secure. We remain vigilant in protecting against unauthorized access and will continue to use best-practices on cyber-security to maintain our effectiveness."