Rewards Platform Flaw, Let attackers Steal User’s Personal Information

Security vulnerabilities have been reported on between March 2023 and May 2023. 

On Aug 3, 2023, a group of cybersecurity researchers made these API vulnerabilities public, along with the technical details of their intrusion.


Through these reported vulnerabilities, attackers would have access to sensitive customer account information, transferring points from customer accounts and gaining unauthorized access to a global administrator website. is the backend provider for nearly all major airline and hotel rewards programs for storing and processing reward points. 

The researchers—Ian Carroll, Shubham Shah, and Sam Curry—reported a series of vulnerabilities to between March and May, and all the bugs have since been fixed.

Vulnerability Reports

The first vulnerability they reported on March 7, 2023, was an unauthenticated HTTP request to an Internal API, which would’ve allowed the attacker to query 22 million order records.

“The data within the records included partial credit card numbers, home addresses, email addresses, phone numbers, reward points numbers, customer authorization tokens, and miscellaneous transaction details, ” said Sam Curry, a cybersecurity researcher.

The second vulnerability they reported on March 7, 2023, was an authorization bypass.

Customers Personal Details Exposed

It would allow an attacker to steal airline reward points from other users by knowing only their last name and reward points number via a misconfigured API.

The third vulnerability they reported on May 2, 2023, about Leaked Tenant Credentials on an endpoint hosted by Virgin Rewards Program,  allows Attackers to Sign API Requests on Behalf of Virgin Airways (Add/Remove Rewards Points, Access Customer Accounts, Modify Rewards Program Settings, etc.)

They identified the fourth vulnerability on April 29, 2023, specifically in United Airlines, where an attacker could generate an authorization token for any user knowing only their rewards number and last name.

The attacker Can give an authorization token.

This vulnerability could let the attacker perform transfer miles to themselves and authenticate as a member on multiple apps related to MileagePlus, potentially including the MileagePlus administrator panel. 

The last vulnerability they reported on May 2, 2023, through this, an attacker could gain full access to the global administration console and Loyalty wallet administration panel.

An attacker could abuse this access to revoke existing reward program credentials and temporarily take down airline rewards functionality.


Upon reporting these vulnerabilities, the team responded very quickly, acknowledging each report within an hour. 

“They promptly took affected websites offline to conduct thorough investigations and subsequently patched all identified issues. All vulnerabilities reported have since been remediated,” said the Sam Curry team.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.