Previous Story
Hackers gets millions of free miles for revealing risks to United Airlines
Posted On Jul 16 2015
Comment: Off
United Airlines has awarded a couple of hackers millions of frequent flier miles for uncovering vulnerabilities in the carrier’s web security without taking advantage of them, the media reported on Thursday.
Bug bounties are a common practice among tech-savvy start-ups, but have yet to see widespread adoption outside of the world of IT. If United Airlines proves successful with its programme, this could signal the start of a new wave of bounty-hunting. The cyber vulnerability researcher tweeted that he had found a bug that could have theoretically allowed hackers to take over United’s websites. Bounties range from 50,000 air miles for a cross-site scripting flaw, with a more serious authentication bypass flaw clocking up 250,000 miles.
However, bugs found on-board the aircraft, like in the avionics and the in-flight Wi-Fi, are not eligible for the programme.
Wiens announced his reward on Twitter, and he seemed surprised that United paid out the top reward for his bug submissions, which he said weren’t technically challenging.
Wow! @united really paid out!
Terms of the agreement prohibit Wiens from disclosing the bug he discovered.
United launched its bug bounty in May. As noted by security firm Sophos, RCE issues can allow unauthenticated attacks to gain entry to systems, inject malicious code and manipulate applications – a concept you do not want to have to tackle as an airline, when customer safety could be placed at risk.
Wiens said the RCE vulnerability he disclosed “probably wasn’t in critical parts of the network”.
That means someone on the outside could run a program on your server or desktop computer without having to log in.
“We all benefit from these programmes”, wrote John Zorabedian, a security researcher at Sophos.
We all benefit from these programs: the company offering the program gets the benefit of crowdsourced quality control, the researchers get recognition and compensation for their work, and the rest of us are more secure because of it.
