- The flaws in Points.com were reported by InfoSec researcher Sam Curry.
- Points.com acts as a backend for multiple airline & hotel rewards programs.
- If hacked, scammers could’ve manipulated the loyalty progs on Points.com.
- Points.com has fixed the vulnerabilities, posing no current danger.
In a recent discovery that raises concerns about the security of personal data in loyalty rewards systems, cybersecurity researchers have unveiled a series of security vulnerabilities within points.com, a widely used airline and hotel rewards platform.
The vulnerabilities, which were brought to light by Sam Curry and his team, could have potentially compromised the personal information of millions of customers.
Points.com, acting as a backend for numerous airline and hotel rewards programs, also functions as a platform for trading and redeeming loyalty points. The security researchers, including Ian Carroll and Shubham Shah, identified five distinct security flaws over a period of several months that could have allowed unauthorized access to sensitive user data, including names, addresses, emails, phone numbers, and transaction details.
According to Curry’s blog post, of particular concern was the possibility that these vulnerabilities could have facilitated the transfer of loyalty points between accounts. Additionally, attackers could have gained access to a global administrator website, thereby gaining the ability to issue points, manage loyalty programs, and execute various administrative actions, according to Sam Curry.
The researchers’ findings included an unauthenticated HTTP path traversal bug, discovered in early March, which could have provided access to an internal API containing over 22 million order records.
This database exposed a plethora of information, ranging from partial credit card numbers to customer authorization tokens. The flaws extended to an authorization bypass in a misconfigured API that could have been exploited to transfer rewards points from users.
The impact of these vulnerabilities was far-reaching, with one of the identified bugs affecting United Airlines. This specific flaw could allow an attacker to generate an authorization token for any user simply by possessing their rewards number and surname. As a result, an attacker could transfer miles to themselves and even authenticate as a member on various MileagePlus-related applications.
Curry’s team also discovered weaknesses that impacted other partner businesses. A points.com-hosted Virgin rewards website was found to leak API authentication information, enabling an attacker to manipulate accounts and modify reward program settings.
Additionally, the researchers found a vulnerability involving the “Flask session secret” for the points.com global administration website, granting unauthorized access to crucial administrative functions.
Despite the concerning implications of these vulnerabilities, Curry praised points.com’s swift response to their reports. The platform’s security team promptly addressed each issue within approximately an hour of disclosure. Affected websites were taken offline for remediation before the vulnerabilities were successfully patched.