United.com Insecure Transmission of User Credentials

United Airways® united.com Insecure Transmission of User Credentials

Systems:  www.united.com
Severity: Critical
Category: Information Disclosure
Author: Michael Scheidell, CCISO – Managing Director, Security Privateers
Original Public Release Date: June 30^th, 2014.

Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF)
Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago ECTF)
Notifications: May 5^th, 2014.  Update sent to MECTF and This email address is being protected from spambots. You need JavaScript enabled to view it.

Revision Date: July 11, 2014

Reason for Revision: Added information on date vulnerable from archive.org

Discussion: (From United.com’s web site, privacy policy)

Privacy Policy

Your privacy is important to us

United Airlines is committed to protecting the privacy and personal data it receives from customers. We want you to know that when you use one of the United family Internet websites, and when you provide us with information offline, the privacy of your personally identifiable information will be respected and protected.

Vulnerability:  Confidential login information, including password is transmitted in plain text

This vulnerability has similar scope and threat as the HeartBleed bug.  Even though this exploit does not depend on the HeartBleed bug, it still has the potential to disclose confidential information that the user would reasonably assume to be sensitive or, in combination with their username, would be considered private, unpublished personal information.

The Home page of  www.united.com has a link to a ‘Sign in’ page in the upper right hand corner clicking on this link brings the user to another page, an html form that requests userlogin and password. Source code reveals that ‘Sign in (Secure)’ button links to http, not https page:

<div><span id="ctl00_CustomerHeader_spanNotSignedIn"><a id="ctl00_CustomerHeader_linkSignIn" href="/apps/account/account.aspx">Sign In</a> | </span><a id="ctl00_CustomerHeader_linkMyAccount" href="/apps/account/account.aspx">My Account</a> | <a accesskey="9" href="/content/Contact/default.aspx">Contact Us</a></div>

When you select ‘Sign in’, you are presented with a screen at url: http://www.united.com/web/en-US/apps/account/account.aspx and asked to log in.

The request is for MileagePlus Number or Username:

PIN or Password:

And the ‘submit’ button is labeled ‘Sign In (Secure)’. 

First thing to note is that this is an http (plain text, unencrypted) webpage, second thing to note is that the submit button calls a standard ‘POST’ which when the user presses the ‘Sign In (Secure)’ button, the information is transmitted from the user’s computer across the internet in plain text.

<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">

<form name="aspnetForm" method="post" action="signin.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">

I suspected that there might be an issue with this not directing to or using SSL, so I enabled Microsoft Message Analyzer (Instead of Wireshark), selected proxy mode and watched the transactions.  It is clear, in packet #45 of the packet trace that the username and password that were entered into the above form were sent to www.united.com in plain text.

Threat: Unauthorized person can obtain the confidential credentials of an authorized user.  For information on how your information is stolen on open, unencrypted Wifi see 'Stalker: A creepy look at you, online'.

The combination of these vulnerabilities, the disclosure of confirmation number, flight information, username and password pose a significant threat to the traveler.  In addition to flight information, the united.com web site allows a logged on user the ability to view Full Name, Home Address, Phone Numbers, email address, birthdate, and any government issued ID such as passport number, redress number of Global Entry/TSA precheck number. This is not just a theoretical threat as the danger to a frequent flyer is increased due to the use of public/free unencrypted WiFi in airports, VIP lounges, coffee houses and hotels.   It is due to the ease of interception of http/web traffic that https, ssl encryption was mandated for PCI compliant web sites.

Exploit: A packet sniffer installed on a hub, gateway, router, switch or computer could be used to read information along with easily obtained software that is designed to collect information from unencrypted wireless networks.

Risk: United services 16 million flyers a year.  If an Unauthorized person used the above information to log in, they can obtain additional confidential information on the web site such as name, phone number, birth date, address, email address, TSC precheck /known traveler number, and information on past and future travel plans. An unknown number of these flyers have used united.com since the introduction of this vulnerability.  Each one of these users is at risk of identity theft, email spam and stalking.  Terrorists may use this information to obtain or forge boarding documents.

Date vulnerable:  According to archive.org, the encryption was removed on April 30^th, 2013 between 10:32 am and 1:00pm.  (Thanks to Brian Krebs, www.krebsonsecurity.com for pointing out archive.org)

encrypted: 10:32 am, 2013

<form name="aspnetForm" method="post" action="/web/20130430103246/https://www.united.com/web/en-US/apps/account/signin.aspx?SID=41FF5F6DB1F9473190517A996ABAC760&amp;" id="aspnetForm">

<form name="aspnetForm" method="post" action="/web/20130430130005/http://www.united.com/web/en-US/apps/account/signin.aspx?SID=699670405910445680B8B6A2458D5E2F&amp;" id="aspnetForm"> unencrypted 1:00pm, 2013.

Page was left unencrypted until United Airlines re-enabled encryption on the page on May 5^th, 2014.

Control: United.com redirects all web traffic on mobile devices to an https platform which encrypts traffic.  United.com should use this same control on normal laptop and workstation traffic, or at the very least, redirect login information to an encrypted, https enabled web form.  As of May 5^th, United has updated the login page to submit the user’s information to an encrypted page.

Residual Risk:  Critical

If there is even a .01% chance that 100,000 users accessed their united.com account while this vulnerability was in place, this constitutes a minimum financial loss of $1,000,000 to cover one year of identity theft monitoring for users.

United Airlines Response:

April 29^th, United Airlines provided, via twitter, an email address to send information to: (This email address is being protected from spambots. You need JavaScript enabled to view it.).

May 5^th, in response to a second email to This email address is being protected from spambots. You need JavaScript enabled to view it. that was cc’d to their CISO I received an email form the CISO promising to look into it, and then later a phone call to discuss timing of a public disclosure.

May 6^th, I received a call from the CISO informing me that the vulnerability had been addressed.

 

MECTF Response:

Information has been forwarded to DHS, USSS and Chicago ECTF

 

CECTF Response:

May 5^th, Spoke on the phone with Chicago ECTF

 

InfraGard Response:

Assigned iGuardian/ Incident number INFRAGARD-2014-00054

Solution: 

United.com’s team worked on and deployed a multipart fix that addresses this and a similar issue. The following code has been implemented on united.com’s web site.  Notice the forced direction to the https url in the post:

<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">

<form name="aspnetForm" method="post" action="https://www.united.com/web/en-US/apps/account/signin.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">

The fix for this specific issue was to direct the post to the recommended https/ssl encrypted page.

United.com should determine how long this vulnerability existed, and how many users it affected in order to provide recommended disclosure.  Any united.com client who had their information exposed should immediately change their password, and may wish to take additional actions if they believe their account has been compromised.   Additional information on the 47 states different breach laws, and breach notification requirements can be found here: http://www.perkinscoie.com/statebreachchart/

Credit:

This problem was originally found by Michael Scheidell, CCISO and Managing Director of Security Privateers.  Issue was discovered during a routine booking of a flight on United.com and verified by using Microsoft Message Analyzer to inspect traffic on the local network.  No hacking performed, no hacking attempted.

Additional research and documentation by Almantas Kakareka, CISSP, Founder and CTO of Demyo, Inc.

Additional Information:

A tcpdump/pcap packet of the information disclosure will only be shared with responsible party.

We believe in responsible disclosure.  Responsible companies should acknowledge the efforts of recognized security researchers and security researchers should avoid public disclosure of vulnerabilities before working with the vendor to fix them.

Almantas shared this additional research and documentation:

Once you enter the correct username:password combo they redirected you to the https site, but that is too late, because username and password were transmitted in the clear already. I have a set of valid username and pass, so I tried with both and highlighted username and password fields.

Incorrect credentials:

POST /web/en-US/apps/account/signin.aspx?SID=2339635A0A614FA582CBA1B6810337D2& HTTP/1.1

Host: www.united.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.united.com/web/en-US/apps/account/account.aspx

Cookie: VanityURL=Null; TLTSID=3B5BEC44430E6430D00DD799B0242B66; TLTUID=3B5BEC44430E6430D00DD799B0242B66; v1st=6DD392AF0993E475; akaau=1399241916~id=7064a883615beb764bd4137eaecb0a05; SID=2339635A0A614FA582CBA1B6810337D2; VanityURL=; akaau=1399241903~id=52a65a3f3488ee168c12ba0839a4fbec; dnn=false; IP=Check=1&Country=US&City=HALLANDALE&Region=FL&PostalCode=33008-33009&LineSpeed=vhigh&CityCS=0&StateCS=0&CountryCS=0&StartIP=0&EndIP=0&Cidr=0&Continent=NA&PhoneNumberPrefix=954&TimeZone=0&Latitude=25.9808&Longitude=-80.1486&Dma=528&Msa=0&Pmsa=2680&AOL=False&Asn=20214&SldId=0&TldId=0&RegOrgId=0&CarrierId=0; cocom=si=False; 1stSID=2339635A0A614FA582CBA1B6810337D2; ChaseICLastPage=/web/en-US/default.aspx?root=1; culture=LanguageDesc=English; WB03=3aX4YIzPvAjgDJeFdBzCSlN_dxYCUpPK7K-YRmHlyjAmNVxhXIIyuCA

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 1869

 

hdnServer=.58&hdnSID=2339635A0A614FA582CBA1B6810337D2&hdnLangCode=en-US&hdnPOS=US&hdnClient=xxx.xxx.xxx.xxx&hdnInactive=false&hdnAccountNumber=&hdnAccountNumberE=&hdnAccountStatus=&__EVENTTARGET=&__EVENTARGUMENT=&hdnTiming=0.234324+seconds&__VIEWSTATE=%2FwEPDwUKMTQzNjgzNDA3NA9kFgJmD2QWAgIDDxYCHghvbnVubG9hZAUSUHVyY2hhc2VBYmFuZG9uKCk7FgICAQ9kFgQCBQ9kFgICCQ9kFgQCCQ9kFgICAQ8PFgIeC05hdmlnYXRlVXJsBTlodHRwczovL3d3dy51bml0ZWQuY29tL3dlYi9lbi1VUy9hcHBzL2FjY291bnQvZW5yb2xsLmFzcHhkZAIND2QWAgIBD2QWCAIBD2QWBAICDw8WBB4MRXJyb3JNZXNzYWdlBUYhIFBsZWFzZSBlbnRlciBhIE1pbGVhZ2VQbHVzIE51bWJlciBvciBVc2VybmFtZS48IS0tRXJyQ29kZTpWMS0tPjxici8%2BHg9WYWxpZGF0aW9uR3JvdXAFClNpZ25JbkZvcm1kZAIEDw8WBB8CBU0hIFBsZWFzZSBlbnRlciBhIHZhbGlkIE1pbGVhZ2VQbHVzIE51bWJlciBvciBVc2VybmFtZS48IS0tRXJyQ29kZTpWMTUtLT48YnIvPh8DBQpTaWduSW5Gb3JtZGQCAw9kFgJmDw8WAh8BBV9%2BL2VuLVVTL2FwcHMvYWNjb3VudC9zZXR0aW5ncy9hY2NvdW50TnVtYmVyUmVzb2x1dGlvbi5hc3B4P1NJRD0yMzM5NjM1QTBBNjE0RkE1ODJDQkExQjY4MTAzMzdEMmRkAgUPZBYEZg8PFgIfAwUKU2lnbkluRm9ybWRkAgIPDxYCHwMFClNpZ25JbkZvcm1kZAIJD2QWAmYPZBYCAgIPEA8WAh8DBQpTaWduSW5Gb3JtZGRkZAILDw8WAh4HVmlzaWJsZWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBQUYY3RsMDAkQ3VzdG9tZXJIZWFkZXIkcmQxBRhjdGwwMCRDdXN0b21lckhlYWRlciRyZDIFGGN0bDAwJEN1c3RvbWVySGVhZGVyJHJkMwUcY3RsMDAkQ3VzdG9tZXJIZWFkZXIkY2hrU2F2ZQUsY3RsMDAkQ29udGVudEluZm8kU2lnbkluJHJlbWVtYmVybWUkY2hrUmVtTWVtNPCBkkF%2BqAwHBybM%2BRgjKjLqjg%3D%3D&ctl00%24CustomerHeader%24ddlCountries=US&ctl00%24CustomerHeader%24rdlang=en-us&ctl00%24CustomerHeader%24chkSave=on&ctl00%24CustomerHeader%24countryText=&ctl00%24CustomerHeader%24langText=&ctl00%24ContentInfo%24hdnReturnPage=%2Fweb%2Fen-US%2Fapps%2Faccount%2Faccount.aspx%3FSID%3D2339635A0A614FA582CBA1B6810337D2&ctl00%24ContentInfo%24SignIn%24onepass%24txtField=123123&ctl00%24ContentInfo%24SignIn%24password%24txtPassword=12313123&ctl00%24ContentInfo%24SignInSecure=Sign+In+%28Secure%29

 

HTTP/1.1 200 OK

Cache-Control: private,no-cache

Content-Type: text/html; charset=utf-8

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Server: Continental Airlines, Inc.

Content-Length: 29133

Date: Sun, 04 May 2014 22:13:44 GMT

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: VanityURL=; domain=united.com; path=/

Set-Cookie: TLTSID=3B5BEC44430E6430D00DD799B0242B66; domain=united.com; path=/

Set-Cookie: TLTUID=3B5BEC44430E6430D00DD799B0242B66; domain=united.com; path=/

Set-Cookie: akaau=1399241903~id=52a65a3f3488ee168c12ba0839a4fbec; domain=united.com; path=/

Set-Cookie: SID=2339635A0A614FA582CBA1B6810337D2; domain=united.com; path=/

Set-Cookie: dnn=false; domain=united.com; path=/

Set-Cookie: cocom=si=False; domain=united.com; path=/

Set-Cookie: 1stSID=2339635A0A614FA582CBA1B6810337D2; domain=united.com; path=/

Set-Cookie: ChaseICLastPage=/web/en-US/default.aspx?root=1; domain=united.com; path=/

Set-Cookie: culture=LanguageDesc=English; domain=united.com; path=/

Set-Cookie: WB03=3aX4YIzPvAjgDJeFdBzCSlN_dxYCUpPK7K-YRmHlyjAmNVxhXIIyuCA; domain=united.com; path=/

Set-Cookie: akaau=1399241924~id=490df85bb4d9bdcae491b9c82c398a00; path=/

 

======================================

 

Correct credentials:

POST /web/en-US/apps/account/signin.aspx?SID=2339635A0A614FA582CBA1B6810337D2&& HTTP/1.1

Host: www.united.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.united.com/web/en-US/apps/account/signin.aspx?SID=2339635A0A614FA582CBA1B6810337D2&

Cookie: VanityURL=Null; TLTSID=3B5BEC44430E6430D00DD799B0242B66; TLTUID=3B5BEC44430E6430D00DD799B0242B66; v1st=6DD392AF0993E475; akaau=1399241925~id=75eddb36b1fa81c429b9f436d037ad14; SID=2339635A0A614FA582CBA1B6810337D2; VanityURL=; akaau=1399241903~id=52a65a3f3488ee168c12ba0839a4fbec; dnn=false; IP=Check=1&Country=US&City=HALLANDALE&Region=FL&PostalCode=33008-33009&LineSpeed=vhigh&CityCS=0&StateCS=0&CountryCS=0&StartIP=0&EndIP=0&Cidr=0&Continent=NA&PhoneNumberPrefix=954&TimeZone=0&Latitude=25.9808&Longitude=-80.1486&Dma=528&Msa=0&Pmsa=2680&AOL=False&Asn=20214&SldId=0&TldId=0&RegOrgId=0&CarrierId=0; cocom=si=False; 1stSID=2339635A0A614FA582CBA1B6810337D2; ChaseICLastPage=/web/en-US/default.aspx?root=1; culture=LanguageDesc=English; WB03=3aX4YIzPvAjgDJeFdBzCSlN_dxYCUpPK7K-YRmHlyjAmNVxhXIIyuCA

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 2229

 

hdnServer=.83&hdnSID=2339635A0A614FA582CBA1B6810337D2&hdnLangCode=en-US&hdnPOS=US&hdnClient=xxx.xxx.xxx.xxx&hdnInactive=false&hdnAccountNumber=&hdnAccountNumberE=&hdnAccountStatus=&hdnTiming=0.0624876+seconds&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTQzNjgzNDA3NA9kFgJmD2QWAgIDDxYCHghvbnVubG9hZAUSUHVyY2hhc2VBYmFuZG9uKCk7FgICAQ9kFgQCBQ9kFgICCQ9kFgYCCQ9kFgICAQ8PFgQeC05hdmlnYXRlVXJsBTlodHRwczovL3d3dy51bml0ZWQuY29tL3dlYi9lbi1VUy9hcHBzL2FjY291bnQvZW5yb2xsLmFzcHgeBFRleHQFGEVucm9sbCBvbmxpbmUgaW5zdGFudGx5LmRkAgsPFgIeB1Zpc2libGVnFgJmDw8WAh8CBcMBISBZb3VyIGFjY291bnQgd2lsbCBiZSBsb2NrZWQgYWZ0ZXIgb25lIG1vcmUgdW5zdWNjZXNzZnVsIGF0dGVtcHQuIElmIHlvdSBmb3Jnb3QgeW91ciBzaWduLWluIGluZm9ybWF0aW9uLCBjbGljayBvbiBvbmUgb2YgdGhlIGxpbmtzIGJlbG93IHRvIHJlY292ZXIgb3IgY2hhbmdlIHlvdXIgaW5mb3JtYXRpb24uPCEtLUVyckNvZGU6QTg0LS0%2BZGQCDQ9kFgICAQ9kFggCAQ9kFgQCAg8PFgYeDEVycm9yTWVzc2FnZQVGISBQbGVhc2UgZW50ZXIgYSBNaWxlYWdlUGx1cyBOdW1iZXIgb3IgVXNlcm5hbWUuPCEtLUVyckNvZGU6VjEtLT48YnIvPh4PVmFsaWRhdGlvbkdyb3VwZR8DaGRkAgQPDxYGHwNoHwQFTSEgUGxlYXNlIGVudGVyIGEgdmFsaWQgTWlsZWFnZVBsdXMgTnVtYmVyIG9yIFVzZXJuYW1lLjwhLS1FcnJDb2RlOlYxNS0tPjxici8%2BHwVlZGQCAw9kFgJmDw8WBB8BBV9%2BL2VuLVVTL2FwcHMvYWNjb3VudC9zZXR0aW5ncy9hY2NvdW50TnVtYmVyUmVzb2x1dGlvbi5hc3B4P1NJRD0yMzM5NjM1QTBBNjE0RkE1ODJDQkExQjY4MTAzMzdEMh8CBS48c21hbGw%2BRm9yZ290IFlvdXIgTWlsZWFnZVBsdXMgTnVtYmVyPzwvc21hbGw%2BZGQCBQ9kFgRmDw8WBB8FZR8DaGRkAgIPDxYEHwVlHwNoZGQCCQ9kFgJmD2QWAgICDxAPFgIfBQUKU2lnbkluRm9ybWRkZGQCCw8PFgIfA2hkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBQUYY3RsMDAkQ3VzdG9tZXJIZWFkZXIkcmQxBRhjdGwwMCRDdXN0b21lckhlYWRlciRyZDIFGGN0bDAwJEN1c3RvbWVySGVhZGVyJHJkMwUcY3RsMDAkQ3VzdG9tZXJIZWFkZXIkY2hrU2F2ZQUsY3RsMDAkQ29udGVudEluZm8kU2lnbkluJHJlbWVtYmVybWUkY2hrUmVtTWWa3vRH4I1VM0t1M2keUhs60TZORA%3D%3D&ctl00%24CustomerHeader%24ddlCountries=US&ctl00%24CustomerHeader%24rdlang=en-us&ctl00%24CustomerHeader%24chkSave=on&ctl00%24CustomerHeader%24countryText=&ctl00%24CustomerHeader%24langText=&ctl00%24ContentInfo%24hdnReturnPage=%2Fweb%2Fen-US%2Fapps%2Faccount%2Faccount.aspx%3FSID%3D2339635A0A614FA582CBA1B6810337D2%26&ctl00%24ContentInfo%24SignIn%24onepass%24txtField=xxxxxxxxx&ctl00%24ContentInfo%24SignIn%24password%24txtPassword=xxxx&ctl00%24ContentInfo%24SignInSecure=Sign+In+%28Secure%29

 

HTTP/1.1 302 Moved Temporarily

Cache-Control: private,no-cache

Content-Type: text/html; charset=utf-8

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Location: https://www.united.com/web/en-US/apps/account/account.aspx?SID=2339635A0A614FA582CBA1B6810337D2&&SI=1

Server: Continental Airlines, Inc.

Content-Length: 226

Date: Sun, 04 May 2014 22:15:35 GMT

Connection: keep-alive

Set-Cookie: VanityURL=; domain=united.com; path=/

Set-Cookie: TLTSID=3B5BEC44430E6430D00DD799B0242B66; domain=united.com; path=/

Set-Cookie: TLTUID=3B5BEC44430E6430D00DD799B0242B66; domain=united.com; path=/

Set-Cookie: akaau=1399241903~id=52a65a3f3488ee168c12ba0839a4fbec; domain=united.com; path=/

Set-Cookie: SID=2339635A0A614FA582CBA1B6810337D2; domain=united.com; path=/

Set-Cookie: dnn=false; domain=united.com; path=/

Set-Cookie: cocom=si=False&RememberID=&UserName=&OPNumber=(username_goes_here)&PreSite=0; domain=united.com; expires=Thu, 03-Jul-2014 05:00:00 GMT; path=/

Set-Cookie: 1stSID=2339635A0A614FA582CBA1B6810337D2; domain=united.com; path=/

Set-Cookie: ChaseICLastPage=/web/en-US/default.aspx?root=1; domain=united.com; path=/

Set-Cookie: culture=LanguageDesc=English; domain=united.com; path=/

Set-Cookie: WB03=3aX4YIzPvAjgDJeFdBzCSlN_dxYCUpPK7K-YRmHlyjAmNVxhXIIyuCA; domain=united.com; path=/

Set-Cookie: AuthCookie=bdf609ff7d69f538236de7fa74d7a88afd88147a271d9c95a1fbe87bd5e4ef0f; domain=united.com; path=/

Set-Cookie: akaau=1399242035~id=ee7af219384df41d5c315edb7c4bc2ca; path=/<html><head><title>Object moved</title></head><body>

<h2>Object moved to <a href="/https://www.united.com/web/en-US/apps/account/account.aspx?SID=2339635A0A614FA582CBA1B6810337D2&amp;&amp;SI=1">here</a>.</h2>

</body></html>

For Further information, Contact:

Michael Scheidell, CCISO, Security Privateers, (561) 948-1305 / This email address is being protected from spambots. You need JavaScript enabled to view it.

Almantas Kakareka, CCISP, Demyo, Inc, (201) 665 6666 / This email address is being protected from spambots. You need JavaScript enabled to view it.