- Hacker Sam Curry discovered flaws in Points.com’s platform, potentially putting frequent flyer programs at risk. The vulnerabilities allowed access to 22 million orders, personal data, and the ability to transfer points and modify accounts.
- Specific vulnerabilities were found in Virgin Atlantic and United MileagePlus accounts, allowing hackers to add/remove points, transfer miles, and access personal information.
- Points.com promptly responded and fixed the issues, but the incident highlights the need for increased security measures in frequent flyer programs to protect valuable data and prevent financial risks.
As cyberattacks become more common globally, frequent flyer programs are no exception, and given their high cash value, can be a lucrative target. This made hacker Sam Curry’s recent revelation about flaws in Points.com’s platform alarming for many. The firm handles transactions for programs such as American’s AAdvantage, Emirates’ Skywards, Virgin Atlantic’s Flying Club, and many more. Sam Curry handed over the research to Points.com, who have promptly fixed their systems, but the flaws before were gaping.
Access to 22 million orders
You’ve likely encountered Points.com when trying to buy or transfer points, with the company handling the payment and transfer of miles to the account. Considering its reach, hacker Sam Curry and a few others teamed up to see if they could exploit any vulnerabilities to affect balances or see personal data. They worked between March and May of this year, finding several issues.
In March, they were able to use an unauthenticated HTTP to access an internal API that could query 22 million orders. Each order contained partial credit card numbers, names, addresses, frequent flyer numbers, phone numbers, and more. With 100 results per request, hackers could sort for accounts and access all the above details.
Photo: Virgin Atlantic/Points.com
Another issue they found due to an improperly configured API was that accounts could be accessed with only the frequent flyer number and surname. This allowed access to billing history, order history, and crucially, transfer points from customers. The two vulnerabilities combined could have led to massive losses and valuable data in the hands of bad actors.
Virgin Atlantic and United found out
In May, the team found vulnerabilities specific to Virgin Atlantic’s Flying Club page hosted by Points.com due to leaked authentication keys. In particular, the hackers were able to access Points.com’s page for the airline and modify accounts. This meant the ability to add or remove points or modify any other setting in your Virgin account.
United MileagePlus accounts faced another issue where hackers were able to generate an authorization token using only a MileagePlus number and surname. This allowed authentication on several apps and hackers could transfer miles to themselves. In addition, names, billing addresses, email, and redacted credit card information could be accessed as well.
Photo: Angel DiBilio/Shutterstock
Finally, the hackers were able to access the Points.com global administration website by guessing a key cookie access code (Flask session secret) as “secret.” This allowed the group to give themselves administrator access and unlimited authority to change the value of points (1:1 to 1:1 million was the example), manage promotions, lookup users, and much more.
Sam Curry and team handed over their information to Points.com, who fixed most of them in a matter of minutes, either on the spot by temporarily taking down the website. The final issue, of administrator access, took an hour to resolve. However, it is good to see that the firm is at least on top of patching security issues, despite letting them exist for an unknown period before.
In addition to affecting users, frequent flyer points are valuable currency that can be redeemed for cash equivalents, making this a huge privacy and financial risk for airline clients. Therefore, these demand high levels of protection, and undoubtedly this report is going to shake up other players into beefing up protocols as well. For now, we can only be thankful that the vulnerabilities were found by a group without nefarious intentions and reported them promptly.