Back to directory
WRITEUP #903

Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform

Auth BypassPath traversalAuthorization bypassHardcoded credentialsWeak Flask Session SecretAccount takeover
by@iangcarroll(Ian Carroll)
Program
points.comUnited AirlinesVirgin
Published
Aug 3, 2023
Added to HackDex
Aug 8, 2023
Read Full Writeuphttps://samcurry.net/points-com/
RELATED WRITEUPS
Interesting Story of an Account Takeover Vulnerability
Auth BypassAccount takeover
Instagram and Meta 2FA Bypass by Unprotected Backup Code Retrieval in Accounts Center
Auth Bypass2FA / MFA bypass
Forced SSO Session Fixation
Auth BypassSSO
Account takeover on 8 years old public program
Auth BypassAccount takeover
$500 for Cracking Invitation Code For Unauthorized Access & Account Takeover
Auth BypassAccount takeover

Built with ❤️ by Shubham Rawat