Earlier this year we reported about security measures taken by United Airlines that they’ll give you up to a million miles to find a Security Bug in their system. An Indian researcher Rahul Mohanraj who read about the United Airlines’ bug bounty program was perhaps excited to travel those million miles so he started working on it!
According to Mohanraj, when he went through the airline’s website, he found that the request which changes the added email privilege didn’t have any (Cross-Site Request Forgery) CSRF token. At first, he thought to report it to the airlines but decided not to because according to him it was not a big bug to be reported.
However, he kept trying to look for bigger security flaw and found that the process of changing the secondary email to primary did not have (Cross-Site Request Forgery) CSRF token. This is the time when hacker decided to report the bug to the airline. In an email response, United Airlines said that ClickJacking issue was already reported by someone, but the CSRF problem was never reported before by anyone, according to the blog post.
Now, when the bug is fixed, United Airlines has awarded the bug reporter “50,000 miles”.
CSRF (Cross-Site Request Forgery) is an attack which takes place when the malicious website, email or a message makes the Web browser perform an unwanted action on trusted site for which the user is authenticated via OWASP.
ClickJacking is also known as “UI redress attack” is an attack which happens in a way that the hacker tricks the user to click a link he wants by sending different transparent or opaque layers before the actually clickable link/button. This way, hackers can snatch clicks truly meant for their page and moving them to any other page.
Previously found vulnerabilities in United Airlines’ system:
This is not the first time when a researcher has found a vulnerability in the United Airline’s system. In the past, Chris Roberts, a security researcher from the United States identified risks in United’s airplane in-flight entertainment systems which would allow attackers to turn the plane’s engine and cockpit’s lights off.
It was due to Roberts’ findings the United Airlines was forced to start their bug bounty program in May 2015.