Emirates Skywards accounts leaked on the net

Posted by Tahir 26 July, 2008

It is not unusual to come across stolen identities on the web and this one is no exception. I came across a post in an underground forum listing a bunch of Emirates Skywards accounts. I picked a random account to verify the claims and the rest is pictured below:

Skywards account main page

Figure1: Skywards/Emirates account main page

Saved credit card information

Figure 2: Saved credit card information

Skywards member personal information

Figure 3: Skywards member personal information

After going through the list, I reckon the accounts were compromised as a result of brute force attacks given the relative serial order of the listed accounts, and the inadequate authentication controls available on emirates.com.

Skywards members - update your passwords now!

Update (July 31,8:30 AM +4GMT): Emirates Airlines has acted swiftly to this threat and have added additional security measures on Emirates.com and Skywards.com websites:

Updated Skywards.com

Figure 4: Updated Skywards.com login page

Updated Emirates.com

Figure 5: Updated Emirates.com login page

A date of birth field is now required for authentication on both Emirates.com and Skywards.com websites. Additionally, client-side validation has been implemented (can’t confirm if this was available earlier though) that checks for valid Skywards membership number format.

A job well done - just what you would expect from a world-class airline!

Share/Save/Bookmark

Categories : general, news Tags :

Comments
July 30, 2008

What the f*** u r talking..

I have already emirates logins.

what special abt the skywards?? Emirates skyword its just waste of emirates airline.

Posted by sam
Posted by relieved
August 13, 2008

haha!! :) These so-called new measures do not do away with personal info already obtained by using the hacked accounts

Emirates should have thought of this sooner rather than later!! Never mind - Emirates is not alone!

Posted by anonymous
October 28, 2008

the so-called “world class airline” has interestingly removed the birthday check..this opens them to brute force attacks once again. are they out of their minds? people can pickup a simple forms-based brute force scanner like fscan and get the account details. This is easier now since they still don’t have captcha implemented! Boooo on you Emirates!

Posted by no bday
Leave a comment

(required)

(required)