16 July 2015

United Airlines pays hacker one million air miles in bug bounty reward

July 13, 2015

It didn't take Jordan Wiens very long to find a vulnerability in United Airlines' network, but the payoff was one million free air miles for about six hours of work.

A vulnerability researcher from Florida, Wiens was the first recipient of United's highest-level reward in its bug bounty program, reserved for remote code execution (RCE) vulnerabilities in its web properties.

United announced the bounty program in May 2015, which it said is the first such program in the airline industry.

Usually, bug bounty programs offer rewards in cash, such as those run by Microsoft, Google and Facebook.

United's rewards are all in the form of free air miles - ranging from 50,000 free miles for low-level bugs (cross-site request forgery, bugs in third party software affecting United), to 250,000 miles for mid-level bugs (authentication bypass, personally identifiable information leakage, brute force attacks), and 1,000,000 miles for RCE bugs.

Several kinds of bugs - including those in systems on board the aircraft such as avionics and in-flight Wi-Fi - are not eligible for the program, although thesecurity of aircraft systems has been called into question recently.

Wiens announced his reward on Twitter, and he seemed surprised that United paid out the top reward for his bug submissions.

Wow! @united really paid out! Got a million miles for my bug bounty submissions! Very cool.

He included a screenshot showing that the reward was paid out on 10 July, in two portions: one reward for 999,999 miles, and another for one mile.

The rules of the program prohibit disclosing bugs publicly or to any third parties, but Wiens tweeted that the bug he discovered "wasn't technically challenging."

Wiens said the RCE vulnerability he disclosed "probably wasn't in critical parts of the network."

Even so, RCE vulnerabilities are severe bugs that could allow an unauthenticated attacker to remotely inject code into a program and get it to run.

That means someone on the outside could run a program on your server or desktop computer without having to log in.

Wiens told a local TV station that he planned to use the miles for coach-class trips for his family, including at least one trip to Hawaii with his wife.

Because of the way the airline parcels out rewards miles, that Hawaii trip with his wife would cost him up to 360,000 air miles for two first-class round trip tickets.

A critic of the United bug bounty program might point out that rewards miles might not be as attractive as straight-up cash, making security researchers less likely to participate.

But one tweeter claimed that Wiens's reward is worth roughly $25,000, similar to top payouts of other bounty programs.

We all benefit from these programs: the company offering the program gets the benefit of crowdsourced quality control, the researchers get recognition and compensation for their work, and the rest of us are more secure because of it.

It's great that companies like United are starting to latch on to the idea.

No comments: