Security vulnerabilities have been reported on points.com between March 2023 and May 2023.
On Aug 3, 2023, a group of cybersecurity researchers made these Points.com API vulnerabilities public, along with the technical details of their intrusion.
Through these reported vulnerabilities, attackers would have access to sensitive customer account information, transferring points from customer accounts and gaining unauthorized access to a global administrator website.
Points.com is the backend provider for nearly all major airline and hotel rewards programs for storing and processing reward points.
The researchers—Ian Carroll, Shubham Shah, and Sam Curry—reported a series of vulnerabilities to Points.com between March and May, and all the bugs have since been fixed.
The first vulnerability they reported on March 7, 2023, was an unauthenticated HTTP request to an Internal API, which would’ve allowed the attacker to query 22 million order records.
“The data within the records included partial credit card numbers, home addresses, email addresses, phone numbers, reward points numbers, customer authorization tokens, and miscellaneous transaction details, ” said Sam Curry, a cybersecurity researcher.
The second vulnerability they reported on March 7, 2023, was an authorization bypass.
It would allow an attacker to steal airline reward points from other users by knowing only their last name and reward points number via a misconfigured API.
The third vulnerability they reported on May 2, 2023, about Leaked Tenant Credentials on an endpoint hosted by Virgin Rewards Program, allows Attackers to Sign API Requests on Behalf of Virgin Airways (Add/Remove Rewards Points, Access Customer Accounts, Modify Rewards Program Settings, etc.)
They identified the fourth vulnerability on April 29, 2023, specifically in United Airlines, where an attacker could generate an authorization token for any user knowing only their rewards number and last name.
This vulnerability could let the attacker perform transfer miles to themselves and authenticate as a member on multiple apps related to MileagePlus, potentially including the MileagePlus administrator panel.
The last vulnerability they reported on May 2, 2023, through this, an attacker could gain full access to the global points.com administration console and Loyalty wallet administration panel.
An attacker could abuse this access to revoke existing reward program credentials and temporarily take down airline rewards functionality.
Upon reporting these vulnerabilities, the points.com team responded very quickly, acknowledging each report within an hour.
“They promptly took affected websites offline to conduct thorough investigations and subsequently patched all identified issues. All vulnerabilities reported have since been remediated,” said the Sam Curry team.