United Airways(r) united.com Insecure Transmission of User Credentials
Revision Date: May 6th, 2014
Reason for Revision: Issue has been fixed by united.com
Systems: www.united.com
Severity: Critical
Category: Information Disclosure
Author: Michael Scheidell, CCISO – Managing Director, Security Privateers
Original Public Release Date: June 30th, 2014.
Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF)
Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago ECTF)
Notifications: May 5th, 2014. Update sent to MECTF and United Airlines
Discussion: (From United.com’s web siteprivacy policy)
Privacy Policy
Your privacy is important to us
United Airlines is committed to protecting the privacy and personal data it receives from customers. We want you to know that when you use one of the United family Internet websites, and when you provide us with information offline, the privacy of your personally identifiable information will be respected and protected.
Vulnerability: Confidential login information, including password is transmitted in plain text
This vulnerability has similar scope and threat as the HeartBleed bug. Even though this exploit does not depend on the HeartBleed bug, it still has the potential to disclose confidential information that the user would reasonably assume to be sensitive or, in combination with their username, would be considered private, unpublished personal information.
The Home page of www.united.com has a link to a ‘Sign in’ page in the upper right hand corner clicking on this link brings the user to another page, an html form that requests userlogin and password. Source code reveals that ‘Sign in (Secure)’ button links to http, not https page:
<div><span id="ctl00_CustomerHeader_
When you select ‘Sign in’, you are presented with a screen at url: http://www.united.com/web/en-
The request is for MileagePlus Number or Username:
PIN or Password:
And the ‘submit’ button is labeled ‘Sign In (Secure)’.
First thing to note is that this is an http (plain text, unencrypted) webpage, second thing to note is that the submit button calls a standard ‘POST’ which when the user presses the ‘Sign In (Secure)’ button, the information is transmitted from the user’s computer across the internet in plain text.
<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">
<form name="aspnetForm" method="post" action="signin.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
I suspected that there might be an issue with this not directing to or using SSL, so I enabled Microsoft Message Analyzer (Instead of Wireshark), selected proxy mode and watched the transactions. It is clear, in packet #45 of the packet trace that the username and password that were entered into the above form were sent to www.united.com in plain text.
For information on how your information is stolen on open, unencrypted Wifi see 'Stalker: A creepy look at you, online'.
Threat: Unauthorized person can obtain the confidential credentials of an authorized user. The combination of these vulnerabilities, the disclosure of confirmation number, flight information, username and password pose a significant threat to the traveler. In addition to flight information, the united.com web site allows a logged on user the ability to view Full Name, Home Address, Phone Numbers, email address, birthdate, and any government issued ID such as passport number, redress number of Global Entry/TSA precheck number. This is not just a theoretical threat as the danger to a frequent flyer is increased due to the use of public/free unencrypted WiFi in airports, VIP lounges, coffee houses and hotels. It is due to the ease of interception of http/web traffic that https, ssl encryption was mandated for PCI compliant web sites.
Exploit: A packet sniffer installed on a hub, gateway, router, switch or computer could be used to read information along with easily obtained software that is designed to collect information from unencrypted wireless networks.
Risk: United services 16 million flyers a year. If an Unauthorized person used the above information to log in, they can obtain additional confidential information on the web site such as name, phone number, birth date, address, email address, TSC precheck /known traveler number, and information on past and future travel plans. An unknown number of these flyers have used united.com since the introduction of this vulnerability. Each one of these users is at risk of identity theft, email spam and stalking. Terrorists may use this information to obtain or forge boarding documents.
Control: United.com redirects all web traffic on mobile devices to an https platform which encrypts traffic. United.com should use this same control on normal laptop and workstation traffic, or at the very least, redirect login information to an encrypted, https enabled web form. As of May 5th, United has updated the login page to submit the user’s information to an encrypted page.
Residual Risk: Critical
If there is even a .01% chance that 100,000 users accessed their united.com account while this vulnerability was in place, this constitutes a minimum financial loss of $1,000,000 to cover one year of identity theft monitoring for users.
United Airlines Response:
April 29th, United Airlines provided, via twitter, an email address to send information to: (eservice@united.com).
May 5th, in response to a second email to eservice@united.com that was cc’d to their CISO I received an email form the CISO promising to look into it, and then later a phone call to discuss timing of a public disclosure.
May 6th, I received a call from the CISO informing me that the vulnerability had been addressed.
MECTF Response:
Information has been forwarded to DHS, USSS and Chicago ECTF
CECTF Response:
May 5th, Spoke on the phone with Chicago ECTF
InfraGard Response:
Assigned iGuardian/ Incident number INFRAGARD-2014-00054
Solution:
United.com’s team worked on and deployed a multipart fix that addresses this and a similar issue. The following code has been implemented on united.com’s web site. Notice the forced direction to the https url in the post:
<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">
<form name="aspnetForm" method="post" action="https://www.united.
The fix for this specific issue was to direct the post to the recommended https/ssl encrypted page.
United.com should determine how long this vulnerability existed, and how many users it affected in order to provide recommended disclosure. Any united.com client who had their information exposed should immediately change their password, and may wish to take additional actions if they believe their account has been compromised. Additional information on the 47 states different breach laws, and breach notification requirements can be found here: http://www.perkinscoie.com/
Credit:
This problem was originally found by Michael Scheidell, CCISO and Managing Director of Security Privateers. Issue was discovered during a routine booking of a flight on United.com and verified by using Microsoft Message Analyzer to inspect traffic on the local network. No hacking performed, no hacking attempted.
Additional research and documentation by Almantas Kakareka, CISSP, Founder and CTO of Demoy, Inc.
Additional Information:
A tcpdump/pcap packet of the information disclosure will only be shared with responsible party.
We believe in responsible disclosure. Responsible companies should acknowledge the efforts of recognized security researchers and security researchers should avoid public disclosure of vulnerabilities before working with the vendor to fix them.
Almantas shared this additional research and documentation:
Once you enter the correct username:password combo they redirected you to the https site, but that is too late, because username and password were transmitted in the clear already. I have a set of valid username and pass, so I tried with both and highlighted username and password fields.
Incorrect credentials:
POST /web/en-US/apps/account/
Host: www.united.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.united.com/web/en-
Cookie: VanityURL=Null; TLTSID=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 1869
hdnServer=.58&hdnSID=
HTTP/1.1 200 OK
Cache-Control: private,no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Server: Continental Airlines, Inc.
Content-Length: 29133
Date: Sun, 04 May 2014 22:13:44 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: VanityURL=; domain=united.com; path=/
Set-Cookie: TLTSID=
Set-Cookie: TLTUID=
Set-Cookie: akaau=1399241903~id=
Set-Cookie: SID=
Set-Cookie: dnn=false; domain=united.com; path=/
Set-Cookie: cocom=si=False; domain=united.com; path=/
Set-Cookie: 1stSID=
Set-Cookie: ChaseICLastPage=/web/en-US/
Set-Cookie: culture=LanguageDesc=English; domain=united.com; path=/
Set-Cookie: WB03=3aX4YIzPvAjgDJeFdBzCSlN_
Set-Cookie: akaau=1399241924~id=
==============================
Correct credentials:
POST /web/en-US/apps/account/
Host: www.united.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.united.com/web/en-
Cookie: VanityURL=Null; TLTSID=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 2229
hdnServer=.83&hdnSID=
HTTP/1.1 302 Moved Temporarily
Cache-Control: private,no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Location: https://www.united.com/web/en-
Server: Continental Airlines, Inc.
Content-Length: 226
Date: Sun, 04 May 2014 22:15:35 GMT
Connection: keep-alive
Set-Cookie: VanityURL=; domain=united.com; path=/
Set-Cookie: TLTSID=
Set-Cookie: TLTUID=
Set-Cookie: akaau=1399241903~id=
Set-Cookie: SID=
Set-Cookie: dnn=false; domain=united.com; path=/
Set-Cookie: cocom=si=False&RememberID=&
Set-Cookie: 1stSID=
Set-Cookie: ChaseICLastPage=/web/en-US/
Set-Cookie: culture=LanguageDesc=English; domain=united.com; path=/
Set-Cookie: WB03=3aX4YIzPvAjgDJeFdBzCSlN_
Set-Cookie: AuthCookie=
Set-Cookie: akaau=1399242035~id=
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://www.united.com/
</body></html>
For Further information, Contact:
Michael Scheidell, CCISO, Security Privateers, (561) 948-1305 / michael@securityprivateers.com
Almantas Kakareka, CCISP, Demyo, Inc, (201) 665 6666 / almaz@demyo.com
Original document can be found at http://privateers.in/d6
--
Michael Scheidell, CCISO, SMIEEE
Security Privateers<http://www.
Direct: (561) 948-1305
Office: (561) 948-1289
Sales: (877) 948-1289
http://michael.scheidell.org
@scheidell<http://twitter.com/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Revision Date: May 6th, 2014
Reason for Revision: Issue has been fixed by united.com
Systems: www.united.com
Severity: Critical
Category: Information Disclosure
Author: Michael Scheidell, CCISO – Managing Director, Security Privateers
Original Public Release Date: June 30th, 2014.
Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF)
Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago ECTF)
Notifications: May 5th, 2014. Update sent to MECTF and United Airlines
Discussion: (From United.com’s web siteprivacy policy)
Privacy Policy
Your privacy is important to us
United Airlines is committed to protecting the privacy and personal data it receives from customers. We want you to know that when you use one of the United family Internet websites, and when you provide us with information offline, the privacy of your personally identifiable information will be respected and protected.
Vulnerability: Confidential login information, including password is transmitted in plain text
This vulnerability has similar scope and threat as the HeartBleed bug. Even though this exploit does not depend on the HeartBleed bug, it still has the potential to disclose confidential information that the user would reasonably assume to be sensitive or, in combination with their username, would be considered private, unpublished personal information.
The Home page of www.united.com has a link to a ‘Sign in’ page in the upper right hand corner clicking on this link brings the user to another page, an html form that requests userlogin and password. Source code reveals that ‘Sign in (Secure)’ button links to http, not https page:
<div><span id="ctl00_CustomerHeader_
When you select ‘Sign in’, you are presented with a screen at url: http://www.united.com/web/en-
The request is for MileagePlus Number or Username:
PIN or Password:
And the ‘submit’ button is labeled ‘Sign In (Secure)’.
First thing to note is that this is an http (plain text, unencrypted) webpage, second thing to note is that the submit button calls a standard ‘POST’ which when the user presses the ‘Sign In (Secure)’ button, the information is transmitted from the user’s computer across the internet in plain text.
<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">
<form name="aspnetForm" method="post" action="signin.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
I suspected that there might be an issue with this not directing to or using SSL, so I enabled Microsoft Message Analyzer (Instead of Wireshark), selected proxy mode and watched the transactions. It is clear, in packet #45 of the packet trace that the username and password that were entered into the above form were sent to www.united.com in plain text.
For information on how your information is stolen on open, unencrypted Wifi see 'Stalker: A creepy look at you, online'.
Threat: Unauthorized person can obtain the confidential credentials of an authorized user. The combination of these vulnerabilities, the disclosure of confirmation number, flight information, username and password pose a significant threat to the traveler. In addition to flight information, the united.com web site allows a logged on user the ability to view Full Name, Home Address, Phone Numbers, email address, birthdate, and any government issued ID such as passport number, redress number of Global Entry/TSA precheck number. This is not just a theoretical threat as the danger to a frequent flyer is increased due to the use of public/free unencrypted WiFi in airports, VIP lounges, coffee houses and hotels. It is due to the ease of interception of http/web traffic that https, ssl encryption was mandated for PCI compliant web sites.
Exploit: A packet sniffer installed on a hub, gateway, router, switch or computer could be used to read information along with easily obtained software that is designed to collect information from unencrypted wireless networks.
Risk: United services 16 million flyers a year. If an Unauthorized person used the above information to log in, they can obtain additional confidential information on the web site such as name, phone number, birth date, address, email address, TSC precheck /known traveler number, and information on past and future travel plans. An unknown number of these flyers have used united.com since the introduction of this vulnerability. Each one of these users is at risk of identity theft, email spam and stalking. Terrorists may use this information to obtain or forge boarding documents.
Control: United.com redirects all web traffic on mobile devices to an https platform which encrypts traffic. United.com should use this same control on normal laptop and workstation traffic, or at the very least, redirect login information to an encrypted, https enabled web form. As of May 5th, United has updated the login page to submit the user’s information to an encrypted page.
Residual Risk: Critical
If there is even a .01% chance that 100,000 users accessed their united.com account while this vulnerability was in place, this constitutes a minimum financial loss of $1,000,000 to cover one year of identity theft monitoring for users.
United Airlines Response:
April 29th, United Airlines provided, via twitter, an email address to send information to: (eservice@united.com).
May 5th, in response to a second email to eservice@united.com that was cc’d to their CISO I received an email form the CISO promising to look into it, and then later a phone call to discuss timing of a public disclosure.
May 6th, I received a call from the CISO informing me that the vulnerability had been addressed.
MECTF Response:
Information has been forwarded to DHS, USSS and Chicago ECTF
CECTF Response:
May 5th, Spoke on the phone with Chicago ECTF
InfraGard Response:
Assigned iGuardian/ Incident number INFRAGARD-2014-00054
Solution:
United.com’s team worked on and deployed a multipart fix that addresses this and a similar issue. The following code has been implemented on united.com’s web site. Notice the forced direction to the https url in the post:
<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">
<form name="aspnetForm" method="post" action="https://www.united.
The fix for this specific issue was to direct the post to the recommended https/ssl encrypted page.
United.com should determine how long this vulnerability existed, and how many users it affected in order to provide recommended disclosure. Any united.com client who had their information exposed should immediately change their password, and may wish to take additional actions if they believe their account has been compromised. Additional information on the 47 states different breach laws, and breach notification requirements can be found here: http://www.perkinscoie.com/
Credit:
This problem was originally found by Michael Scheidell, CCISO and Managing Director of Security Privateers. Issue was discovered during a routine booking of a flight on United.com and verified by using Microsoft Message Analyzer to inspect traffic on the local network. No hacking performed, no hacking attempted.
Additional research and documentation by Almantas Kakareka, CISSP, Founder and CTO of Demoy, Inc.
Additional Information:
A tcpdump/pcap packet of the information disclosure will only be shared with responsible party.
We believe in responsible disclosure. Responsible companies should acknowledge the efforts of recognized security researchers and security researchers should avoid public disclosure of vulnerabilities before working with the vendor to fix them.
Almantas shared this additional research and documentation:
Once you enter the correct username:password combo they redirected you to the https site, but that is too late, because username and password were transmitted in the clear already. I have a set of valid username and pass, so I tried with both and highlighted username and password fields.
Incorrect credentials:
POST /web/en-US/apps/account/
Host: www.united.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.united.com/web/en-
Cookie: VanityURL=Null; TLTSID=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 1869
hdnServer=.58&hdnSID=
HTTP/1.1 200 OK
Cache-Control: private,no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Server: Continental Airlines, Inc.
Content-Length: 29133
Date: Sun, 04 May 2014 22:13:44 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: VanityURL=; domain=united.com; path=/
Set-Cookie: TLTSID=
Set-Cookie: TLTUID=
Set-Cookie: akaau=1399241903~id=
Set-Cookie: SID=
Set-Cookie: dnn=false; domain=united.com; path=/
Set-Cookie: cocom=si=False; domain=united.com; path=/
Set-Cookie: 1stSID=
Set-Cookie: ChaseICLastPage=/web/en-US/
Set-Cookie: culture=LanguageDesc=English; domain=united.com; path=/
Set-Cookie: WB03=3aX4YIzPvAjgDJeFdBzCSlN_
Set-Cookie: akaau=1399241924~id=
==============================
Correct credentials:
POST /web/en-US/apps/account/
Host: www.united.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.united.com/web/en-
Cookie: VanityURL=Null; TLTSID=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 2229
hdnServer=.83&hdnSID=
HTTP/1.1 302 Moved Temporarily
Cache-Control: private,no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Location: https://www.united.com/web/en-
Server: Continental Airlines, Inc.
Content-Length: 226
Date: Sun, 04 May 2014 22:15:35 GMT
Connection: keep-alive
Set-Cookie: VanityURL=; domain=united.com; path=/
Set-Cookie: TLTSID=
Set-Cookie: TLTUID=
Set-Cookie: akaau=1399241903~id=
Set-Cookie: SID=
Set-Cookie: dnn=false; domain=united.com; path=/
Set-Cookie: cocom=si=False&RememberID=&
Set-Cookie: 1stSID=
Set-Cookie: ChaseICLastPage=/web/en-US/
Set-Cookie: culture=LanguageDesc=English; domain=united.com; path=/
Set-Cookie: WB03=3aX4YIzPvAjgDJeFdBzCSlN_
Set-Cookie: AuthCookie=
Set-Cookie: akaau=1399242035~id=
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://www.united.com/
</body></html>
For Further information, Contact:
Michael Scheidell, CCISO, Security Privateers, (561) 948-1305 / michael@securityprivateers.com
Almantas Kakareka, CCISP, Demyo, Inc, (201) 665 6666 / almaz@demyo.com
Original document can be found at http://privateers.in/d6
--
Michael Scheidell, CCISO, SMIEEE
Security Privateers<http://www.
Direct: (561) 948-1305
Office: (561) 948-1289
Sales: (877) 948-1289
http://michael.scheidell.org
@scheidell<http://twitter.com/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information