Vulnerabilities Discovered in Major Travel Rewards Programs Raise Data Security Concerns
Hey Mck’s today we are talking about a concerning vulnerability that gave user’s personal data to unauthorized sources. It’s pretty concerning. So, you know those cool perks airlines and hotels offer when you join their loyalty programs? Well, many of them run on the same digital platform called Points.com, which handles all the backend stuff through its application programming interface (API).
But guess what? A group of security researchers found some serious vulnerabilities in this Points.com API. And it’s not good news for users like us. These flaws could have been exploited to expose our data, steal our precious “loyalty currency” (you know, like those hard-earned miles), or even give hackers control over entire loyalty programs.The researchers — Ian Carroll, Shubham Shah, and Sam Curry — reported these problems to Points.com between March and May, and luckily, they’ve fixed all the issues now.
One of the bugs allowed the researchers to move around within the Points API and access some internal sections, like customer orders. So, imagine 22 million order records, including our account numbers, addresses, phone numbers, email addresses, and even partial credit card numbers — all at risk! Points.com did have some limits in place, so hackers couldn’t just grab everything at once. But they could have targeted specific people or slowly stolen data over time.Another issue they found was a problem with the API configuration. It could have let attackers generate an account authorization token using just someone’s last name and rewards number. Yeah, it’s that easy! With that token, they could have taken over our accounts and transferred our miles or rewards points to themselves. That’s like stealing our hard-earned benefits!.
The researchers also discovered similar vulnerabilities affecting Virgin Red and United MileagePlus, but thankfully, Points.com fixed those too.But wait, it gets worse! The biggest shocker was that the Points.com global administration website had a huge security flaw. The encrypted cookies assigned to each user were encrypted with a super weak “secret” — yes, just the word “secret” itself. Can you believe it? By guessing this “secret,” the researchers could unlock the cookies, giving them god-like access to any Points reward system. They could have granted themselves unlimited miles or benefits and done whatever they pleased.
Now, let’s not be all doom and gloom. Points.com was quick to respond and collaborated with the researchers to fix everything. According to the researchers, the fixes seem to work, and Points.com was pretty responsive in dealing with the issues. Plus, they’ve assured us that no one misused the exposed data, and everything accessed during the research has been destroyed. But here’s the takeaway: It’s crucial for all companies to take data security seriously, especially when handling sensitive info like ours. With hackers getting smarter and targeting shared platforms, it’s important for organizations to regularly assess their security measures and keep our data safe.
So, let’s keep an eye on our rewards accounts and hope that companies learn from this and step up their security game. Stay safe out there!
#TravelRewards #DataSecurity #RewardsPrograms #Pointscom #LoyaltyPrograms #Cybersecurity #DigitalInfrastructure #Vulnerability #MilesAndNights #ProtectYourData #API #AccountSecurity #CustomerPrivacy #FixTheBugs #SecureYourSystems #PointsAPI #TravelPerks #DataProtection #LoyaltyCurrency #StaySafeOnline #RewardPoints #HackersBeware #OnlineSecurity #SecureRewards #MilesThieves #LoyaltyHacking #DigitalSafety