Oops: United Website Let Anyone See Name And Ticket Details Of Customers Who Requested Refunds

United Airlines has just fixed a glitch that allowed anyone to view the name and ticket details of customers who had requested refunds.

Anyone can check refund status online by entering their name and ticket number, but United wasn’t validating that names matched the ticket numbers whose information they displayed.

The airline’s website lets users check their refund status by entering their ticket number and last name. But the website wasn’t validating the last name, making it possible to access other travelers’ refund information by changing the ticket number.

[This would show] traveler surnames, the payment type and currency used to buy the ticket, and the refund amount.

Despite garnering significant media attention five years ago when they launched a bug bounty program offering up to 1 million miles as a reward for turning in bugs to the airline, United reportedly did not respond to the security expert who found and reported the vulnerability to them on July 6.

It’s not clear the extent to which European data protection rules were broken via the vulnerability, or whether the incident has been reported to relevant authorities.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. Anyone can make a mistake but in most cases these companies won’t pay the going rate for top notch security, engineers and programmers so they up with lower end talent and/or outsource stuff to low bidders who, unsurprisingly, can’t afford top notch engineers.

    Until high level executives are fine substantially and imprisoned (the latter would get their attention quicker) this stuff goes on and on.

  2. Sounds like a minor glitch. Make no mistake, privacy is paramount. But names on flights are basically public knowledge – ever look at the upgrade standby lists. @rich, top notch engineers make mistakes too. And where will UA get the money to pay them?

  3. This is an airline whose security team believes 2-factor authentication is having a list of predefined questions together with a limited number of pre-defined answers.

    Even more scary, their call center agents request this information of their customers while in public spots (and easily overheard), like in airports or inside aircraft, together with other PII like name, mileage number, etc..

    United’s InfoSec and web development teams should be fired and crucified in every court of law in every country where a passenger’s information has been compromised, and the costs for these be charged to the personal credit cards of their CISO and IT leadership.

Comments are closed.