The Switch, The Washington Post

This guy won more than a million miles of free airfare for hacking United Airlines

Jordan Wiens has always wanted to fly around the world — business class. His wife is on board for the adventure but would rather save 200,000 frequent flyer miles by flying coach.

But after Jordan Wiens won 1.25 million frequent flyer miles with United Airlines, the couple can probably treat themselves to a little more legroom.

“That’d be a once in a lifetime opportunity,” said Wiens, a software vulnerability researcher, in a Friday interview.

Wiens was one of two hackers United recently rewarded with a million free miles of air travel for discovering and alerting the company to software defects through the airlines “bug bounty” program. With a million miles, they could fly from the continental United States to Europe 33 times.

Wiens said he won another quarter-million miles this week for reporting another defect. That means he could fly to Europe another eight times.

“Bug bounty” programs have become increasing popular with technology companies. Facebook, Twitter and Dropbox offer hundreds of dollars to hackers who alert them to security problems on their site.  Now security experts say as the risks of cyber breaches grows, the practice is spreading outside the tech field.

“As things get increasingly automated all around us, software is all around us and software bugs are all around us,” Harlan Yu, a principal at technology firm Upturn, said in a recent interview.

United, the second-largest airline in the United States, began the program just weeks before software glitches grounded the airline’s fleet twice. On June 2, 150 United flights were delayed for nearly an hour because of a problem with the airline’s flight dispatching system. On July 8, United’s reservation system malfunctioned for two hours and did not allow passengers to check in for their flights.

Wiens said the first problem he discovered, the one that got him a million frequent flyer miles, was a “remote code execution,” the kind of hack that allows a user to seize control of an entire device. The second was an “information disclosure,” or a data leak. Contest rules bar him from talking publicly about his specific discoveries, Wiens said.

“We are committed to protecting our customers’ privacy and the personal data we receive from them,” United said in a statement posted on its Web site. “We believe that this [bounty] program will further bolster our security and allow us to continue to provide excellent service.”

Wiens said he never planned on entering United’s contest. His day job, after all, is doing nearly the same thing as a consultant. But after a friend who entered the program called him asking for a little advice, Wiens started poking around and after three hours of leisurely searching, realized he was on to something.

By the next night, he had found a major vulnerability. Days later, United paid up.

And then paid up again.

But reporting those bugs doesn’t mean United has a poor online security system, Wiens said. The fact the airline runs a contest to detect these problems means more companies are getting realistic about the advantages of crowdsourcing cybersecurity, he said.

“I don’t think United has a bad security posture,” he said. “I think having a bug bounty program speaks to the maturity of their online presence.”

“I hope it continues,” he added. “I hope more companies get in on it.”

But that’s not because Wiens needs more airline miles.

https://www.washingtonpost.com/blogs/the-switch/wp/2015/07/17/this-guy-won-more-than-a-million-miles-of-free-airfare-for-hacking-united-airlines/

Advertisements
Standard

Whatcha think? Leave a comment!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s