HQ/EMEAFind out how we can help your business
The popular rewards platform, points.com, has multiple vulnerabilities that could result in personal data theft and unauthenticated admin access. Based on reports, attackers that exploit the vulnerabilities could access the personal information of the platform’s users.
The compromised points.com operates as a market for redeeming and exchanging loyalty points for numerous hotel and airline rewards programs.
Recent research revealed that at least five security bugs in the platform could provide threat actors with unauthorised access to essential information, like names, addresses, emails, phone numbers, and transactions.
In addition, these deficiencies could enable adversaries to transfer points between accounts and even access a global admin website. Hence, malicious entities could acquire permissions to issue points, manage loyalty programs and run various admin activities.
The vulnerabilities in points.com emerged earlier this year.
Researchers alerted points.com about an unauthenticated HTTP path traversal flaw they discovered last March. The investigations showed that unauthorised individuals could exploit the flaw to access an internal API that exposes the database of about 22 million order records.
The confirmed data stored in the records include critical information, such as credit card numbers, email addresses, phone numbers, addresses, customers’ authorisation tokens, reward points numbers, and miscellaneous transaction details.
Additionally, attackers could query these troves of data through an API call that returns one-hundred results per HTTP request.
Furthermore, the researchers reported an authorisation bypass in a poorly configured API, which adversaries could exploit to transfer airline rewards points from users. The issue could have enabled threat actors to create total account authorisation tokens to manage customers’ accounts and view their data.
A separate researcher reported a flaw that affected United Airlines in a related instance. The attackers only generated an unauthorised token for any user account by identifying their rewards number and last name.
A recent discovery also identified a points.com-hosted reward website called Virgin, leaking API authentication information. The leak could have allowed threat actors to pose as airline representatives, make API calls to change accounts, add or remove points, and alter the Virgin rewards program’s settings.
Fortunately, points.com has been responsive to every alert relayed by researchers. Therefore, experts expect the platform will likely develop a bug patch soon.
