writeups.xyz / Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform

Submitter : c2a

Date: 3 August 2023

Bounty : undisclosed

Vulnerabilities :

• Path Traversal
• Authorization Bypass
• Hardcoded Credentials
• Weak Flask Session Secret
• Account Takeover

Programs :

• Points.com
• United Airlines
• Virgin

Authors :

• Ian Carroll (@Iangcarroll)
• Shubham Shah (@Infosec_au)
• Sam Curry (@Samwcyo)

Link :
https://samcurry.net/points-com/