back to article United Airlines accounts open to mass lock-outs

A simple brute-force attack is all that's needed to lock users out of their frequent flyer accounts. However, in spite fof the discovery, by Turrisio Cybersecurity security officer Yosi Dahan, being disclosed under the airline's bug bounty in March, the researcher is complaining that United isn't responding to him. Dahan says …

  1. Dr Trevor Marshall

    Poor editing - here is the key to this issue

    "Dahan says the MileagePlus system will inform when user identification numbers are incorrect"

    So as you scan all possible numbers, the system reduces the load on your your bot. That is not acceptable in this day and age...

    1. Alister

      Re: Poor editing - here is the key to this issue

      "Dahan says the MileagePlus system will inform when user identification numbers are incorrect"

      This is a problem where web developers try to be too helpful to the customer.

      The error message for a failed login should not identify which bit (username / ID or password) is wrong, it should just give a generic "Login details incorrect" for both an incorrect ID or an incorrect password.

      That way, at least there is no shortcut for a hacker, they have to find both a valid ID and matching password.

  2. Kevin McMurtrie Silver badge

    Nothing new

    Lots of banks have this stupid issue too. Enter e-mail address and bad password about 5 times and your victim is locked out.

  3. Joe Montana

    Account lockouts

    This is an EXTREMELY common problem, because most security manuals say you should lock accounts after several unsuccessful attempts and many commonly available products provide no other options for blocking or alerting on brute force attempts.

    This fails for two reasons, not only the deliberate denial of service that can be performed by intentionally entering wrong passwords but also because it completely fails to take into account the methodologies employed by real hackers. In most cases, a specific account is not the target - hackers just want *any* accounts and in some instances, as many accounts as possible... So rather than try thousands of passwords against a single account, they try a small subset of common passwords against many accounts - an attack which would not trigger an account lockout response.

    1. Buzzword

      Re: Account lockouts

      Indeed. It's trivially easy to get your hands on a bulk list of valid email addresses, and if you're DDoSing a large company (say Amazon, EE, Tesco's) where half the country has an account, you'll get a pretty good hit rate.

  4. Anonymous Coward
    Anonymous Coward

    Are those first class miles or cattle class miles ?

  5. paulf
    Terminator

    Some websites are particularly bad

    The website of one big company in the UK allows a password reset by simply asking for the sign in user name. User names in isolation can be guessed (e.g. jsmith, johnsmith, johns) easier than username and some other credential (e.g. email address) so this would make an account lock out brute force attack pretty easy.

    This interests me because I've been locked out of my account at said company for two months as a result of someone resetting my password multiple times this way (either by getting their username wrong or by guessing mine out of malevolence) and as a result locking my account so that password resets no longer work. The company in question isn't solving it either - bastards.

  6. jamesb2147

    90's tech

    United's code is ANCIENT and a carryover from a much smaller airline they merged with several years ago: Continental. The spectacularly failed integration of their two systems is considered the primary reason that American Airlines, in its merger with US Airways, is now working almost exclusively on a slow cutover to the reservation system of the *larger* airline (American, in case you were wondering).

    What's worse is that United actually has much bigger problems than just its IT infrastructure and code. They were absolutely HEMORRHAGING cash, for example, before the economy recovered and oil prices dropped, to the point that investors were beginning to talk of ousting the CEO. They have a company culture problem, too, and old (read: inefficient) planes with poor on-time performance. And all this with the largest international network of any US airline. *sigh*

    Anyone else here find it interesting that WorldMate is the company finding these bugs? I didn't even realize they were large enough to have a security officer. lol Srsly, though, if you travel a lot, check out their product.

    1. Anonymous Coward
      Anonymous Coward

      Re: 90's tech

      I believe the testing is on a new beta version of their site that is a little better - but still aspx based.

      You are correct - United before the merger had a really nice java-based web site that worked excellently and was extremely flexible and scalable. They were working with Oracle on improving it right up until the merger at which point the whole thing was dumped in favor of Continental's awful .net site. Even today you cannot book a ticket and have it confirmed and ticketed right away (which you could do ten years ago on the united site). It's an asynchronous process in which you confirm and pay for the ticket and hope it gets ticketed some time in the next 10-50 minutes. If availability or prices change in the meantime you are SOL.

      The merger really brought together the worst of both airlines - the shitty tech from Continental, and the shitty attitude from United. I would imagine that the US/American merger will proceed the same way.

      But I'm stuck with them since miles that I can't use on overseas trips are worthless to me - and I've flown with delta and american just as much over the years and they are all as bad as each other.

      1. jamesb2147

        Re: 90's tech

        I'm a little confused.

        "I believe the testing is on a new beta version of their site that is a little better - but still aspx based."

        They are testing a new beta website, but it *seems* (based on my limited exposure) to be a costmestic change with little to nothing changing on the backend. Great for mobile devices, I've been told, but not much different otherwise.

        "But I'm stuck with them since miles that I can't use on overseas trips are worthless to me - and I've flown with delta and american just as much over the years and they are all as bad as each other."

        Derp. Uhhhh, you do know that United has probably the lowest value points of any of the 3 big US airlines, right? A worthy argument could certainly be made that SkyMiles are worse, however, American's miles are certainly the most valuable of the Big 3 US. And if you're traveling in a premium cabin, then American's become *even more* valuable than the other two. God, United even blocks out award space on some flights completely unless you're elite or have their co-brand credit card.

        If you're looking to travel internationally, check out AA's award chart and compare it to United's on partners. Yeahhhhhhh. Delta doesn't even publish an award chart anymore; they'll be revenue-based soon enough.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022