Y'know how airlines never explain delays? United's bug bounty works the same way

Researcher says airline failed to fix critical bug for five months

United Airlines' frequent flier points for bugs plan has come in for criticism from a researcher who says the airline didn't respond to news of a critical bug report for five months, and then only after he threatened to go public.

Randy Westergren, whose assessment of Subway's impressively-secure app graced our pages last July, says he found a bug that means “an attacker could completely manage any aspect of a flight reservation using United’s website.”

“This includes access to all of the flight’s departures, arrivals, the reservation payment receipt (payment method and last 4 of CC), personal information about passengers (phone numbers, emergency contacts), and the ability to change/cancel the flight.”

Mindful of United's bug bounty program, he reported it and then waited for the airline to acknowledge the report, fix the bug and send points.

Westergren says the airline's response was … nothing. For five months.

“I understood they were probably overwhelmed with the number of vulnerability submissions, I expected a delayed acknowledgment/response — I didn’t expect, however, for the issue to remain unpatched five months later,” he blogged on Sunday.

Even though the terms of United's bug bounty program mean anyone who discloses a bug won't be given any frequent flyer points, Westergren decided the bug was dangerous enough that he needed to up the ante. The researcher therefore told United he's go public on November 28th, in a Tweet.

That Tweet was picked up by media, things escalated and United eventually told him it had stayed silent because Westergren wasn't the first to report the problem.

Westergren's not so sure: he thinks the media exposure pressured United into fixing the flaw.

Either way, he doesn't think United's doing a very good job of communicating with folks who submit to its bounty program, or of keeping its website secure. ®

Biting the hand that feeds IT © 1998–2021