United Airlines’ Frequent Flyer App Can Be Hacked to Reveal Passenger Info
Flying has never been more convenient for customers. The security checks might be a drag, but sometimes all it takes to check in online is punching in a few digits into a mobile app.
But that may be just a little too convenient. A cybersecurity company has discovered that it’s possible to obtain the personal and flight information of United Airlines MileagePlus customers through the company’s app.
“An attacker can get access to personal details such as email, phone number, flight details (origin, destination, date, time, seat) and even the boarding pass,” Yosi Dahan, co-founder and CEO of Turrisio Cybersecurity, told Motherboard in an email.
When logging into the United Airlines app to check in, a customer can either enter their booking confirmation code or MileagePlus ID and doesn’t need to give any other information, such as a password. MileagePlus is United Airline’s frequent flyer program. If the user’s flight is within 24 hours, their information will be displayed on the app.
Image: Censored screenshot provided by Dahan to show the information he uncovered
MileagePlus IDs are very basic: they come in the format of two letters, followed by six digits. So instead of having to find out the ID of a particular customer, Dahan wrote a simple Python proof-of-concept script that could allow an attacker to grind through the possible combinations of IDs and automatically check if any flights were booked with them.
There is no indication that the app has actually been abused by criminals. But Dahan, who has previously written about the MileagePlus app security, envisioned that it could be possible to launch a social engineering attack with information gleaned this way. He suggested, for instance, that an attacker could call a victim and present them with information that only United Airlines should know, then scam them into handing over credit card details.