Back in January, United Airlines suspended some Mileage Plus members’ accounts for what they claimed was a breach involving a third party that enabled an attacker to use login credentials to access members’ accounts.
Now they may have another problem affecting their Mileage Plus program, it seems. Yosi Dahan of Turrisio writes:
During our recent research, we have discovered a critical security vulnerability in United Airlines mobile application, and that’s not the first time.
Using United Airlines mobile app, a customer can either enter their booking confirmation code or MileagePlus ID and doesn’t need to give any other information, such as a password. MileagePlus is United Airline’s frequent flyer program. If the user’s flight is within 24 hours, their information will be displayed on the app.
Read more on Turrisio. United Airlines’s response to Yosi’s disclosure was :
“What Mr. Dahan incorrectly calls a bug is in fact the intended behavior of our mobile app, which we designed to make the flight check-in process as simple as possible to accommodate the broadest number of customers,” a spokesperson told Motherboard in an email. “While we continuously assess and enhance our security procedures, we have extensive programs in place to protect our customers and their personal information.”