reader comments
9 with
Travel rewards programs like those offered by airlines and hotels tout the specific perks of joining their club over others. Under the hood, though, the digital infrastructure for many of these programs—including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy—is built on the same platform. The backend comes from the loyalty commerce company Points and its suite of services, including an expansive application programming interface (API).
But new findings, published today by a group of security researchers, show that vulnerabilities in the Points.com API could have been exploited to expose customer data, steal customers’ “loyalty currency” (like miles), or even compromise Points global administration accounts to gain control of entire loyalty programs.
The researchers—Ian Carroll, Shubham Shah, and Sam Curry—reported a series of vulnerabilities to Points between March and May, and all the bugs have since been fixed.
“The surprise for me was related to the fact that there is a central entity for loyalty and points systems, which almost every big brand in the world uses,” Shah says. “From this point, it was clear to me that finding flaws in this system would have a cascading effect to every company utilizing their loyalty backend. I believe that once other hackers realized that targeting Points meant that they could potentially have unlimited points on loyalty systems, they would have also been successful in targeting Points.com eventually.”
One bug involved a manipulation that allowed the researchers to traverse from one part of the Points API infrastructure to another internal portion and then query it for reward program customer orders. The system included 22 million order records, which contain data like customer rewards account numbers, addresses, phone numbers, email addresses, and partial credit card numbers. Points.com had limits in place on how many responses the system could return at a time, meaning an attacker couldn’t simply dump the whole data trove at once. But the researchers note that it would have been possible to look up specific individuals of interest or slowly siphon data from the system over time.
supply chain attacks for espionage or finding vulnerabilities in widely used software and equipment and exploiting them in cybercriminal attacks.
“We’re trying to find high-impact systems where if an attacker were able to compromise them there could be significant damage,” Curry says. “I think a lot of companies accidentally get to a point where they are ultimately in charge of a lot of data and systems, but they don’t necessarily stop and assess the position they’re in.”
This story originally appeared on wired.com.