Techly NewsGet the app

Get the latest tech news

Hacking the largest airline and hotel rewards platform (2023)


Between March 2023 and May 2023, we identified multiple security vulnerabilities within points.com, the backend provider for a significant portion of airline and hotel rewards programs. These vulnerabilities would have enabled an attacker to access sensitive customer account information, including names, billing addresses, redacted credit card details, emails, phone numbers, and transaction records.

These vulnerabilities would have enabled an attacker to access sensitive customer account information, including names, billing addresses, redacted credit card details, emails, phone numbers, and transaction records. Based on our understanding of the LCP API OAuth 2.0 MAC authentication scheme, if these secondary context HTTP requests were directed towards the "lcp.points.com" host, they would need to be signed using the specific customers "macKey" and "macID" parameters. By sending the following POST request, we were able to access the transaction data for all points.com loyalty programs including Delta, Emirates, Singapore Airlines, United, Etihad, Air Canada, Lufthansa, Southwest, Alaska, Hawaiian, and additionally many hotel reward points providers like Hilton, Marriott, and IHG:

Get the Android app

Or read this on Hacker News

Read more on:

Photo of platform

platform

Photo of rewards

rewards

Photo of secrets

secrets

Related news:

News photo

Keeping Secrets (2014)

News photo

Unleashed is making a platform for MMOs to bring people together | The DeanBeat

News photo

If you give Copilot the reins, don't be surprised when it spills your secrets

« Why Weight-Loss Drugs Are Billion-Dollar Blockbusters: QuickTake
The Goths »