Globally Used Loyalty System Hacked for Good

Cybersecurity researcher Sam Curry and his team managed to hack before malicious threat actors could.


  1. The flaws in were reported by InfoSec researcher Sam Curry.
  2. acts as a backend for multiple airline & hotel rewards programs.
  3. If hacked, scammers could’ve manipulated the loyalty progs on
  4. has fixed the vulnerabilities, posing no current danger.

In a recent discovery that raises concerns about the security of personal data in loyalty rewards systems, cybersecurity researchers have unveiled a series of security vulnerabilities within, a widely used airline and hotel rewards platform.

The vulnerabilities, which were brought to light by Sam Curry and his team, could have potentially compromised the personal information of millions of customers., acting as a backend for numerous airline and hotel rewards programs, also functions as a platform for trading and redeeming loyalty points. The security researchers, including Ian Carroll and Shubham Shah, identified five distinct security flaws over a period of several months that could have allowed unauthorized access to sensitive user data, including names, addresses, emails, phone numbers, and transaction details.

Globally Used Loyalty System Hacked for Good

According to Curry’s blog post, of particular concern was the possibility that these vulnerabilities could have facilitated the transfer of loyalty points between accounts. Additionally, attackers could have gained access to a global administrator website, thereby gaining the ability to issue points, manage loyalty programs, and execute various administrative actions, according to Sam Curry.

The researchers’ findings included an unauthenticated HTTP path traversal bug, discovered in early March, which could have provided access to an internal API containing over 22 million order records.

This database exposed a plethora of information, ranging from partial credit card numbers to customer authorization tokens. The flaws extended to an authorization bypass in a misconfigured API that could have been exploited to transfer rewards points from users.

The impact of these vulnerabilities was far-reaching, with one of the identified bugs affecting United Airlines. This specific flaw could allow an attacker to generate an authorization token for any user simply by possessing their rewards number and surname. As a result, an attacker could transfer miles to themselves and even authenticate as a member on various MileagePlus-related applications.

Globally Used Loyalty System Hacked for Good
Access allowed researchers to gain thousands of dollars worth of points on United Airlines. (Image: Sam Curry)

Curry’s team also discovered weaknesses that impacted other partner businesses. A Virgin rewards website was found to leak API authentication information, enabling an attacker to manipulate accounts and modify reward program settings.

Additionally, the researchers found a vulnerability involving the “Flask session secret” for the global administration website, granting unauthorized access to crucial administrative functions.

Despite the concerning implications of these vulnerabilities, Curry praised’s swift response to their reports. The platform’s security team promptly addressed each issue within approximately an hour of disclosure. Affected websites were taken offline for remediation before the vulnerabilities were successfully patched.

More Hacks from Sam Curry
  1. Automotive Industry Exposed to Have Major API Vulnerabilities
  2. Vulnerability in allowed access to 50M user records
  3. Honda & Nissan Cars App Flaws: Hack by Knowing VIN Number
  4. 55 Apple vulnerabilities risked iCloud account takeover, data theft
Related Posts