Logo Background

Emirates Skywards accounts leaked on the net

  • It is not unusual to come across stolen identities on the web and this one is no exception. I came across a post in an underground forum listing a bunch of Emirates Skywards accounts. I picked a random account to verify the claims and the rest is pictured below:

    Skywards account main page

    Figure1: Skywards/Emirates account main page

    Saved credit card information

    Figure 2: Saved credit card information

    Skywards member personal information

    Figure 3: Skywards member personal information

    After going through the list, I reckon the accounts were compromised as a result of brute force attacks given the relative serial order of the listed accounts, and the inadequate authentication controls available on emirates.com.

    Skywards members – update your passwords now!

    Update (July 31,8:30 AM +4GMT): Emirates Airlines has acted swiftly to this threat and have added additional security measures on Emirates.com and Skywards.com websites:

    Updated Skywards.com

    Figure 4: Updated Skywards.com login page

    Updated Emirates.com

    Figure 5: Updated Emirates.com login page

    A date of birth field is now required for authentication on both Emirates.com and Skywards.com websites. Additionally, client-side validation has been implemented (can’t confirm if this was available earlier though) that checks for valid Skywards membership number format.

    A job well done – just what you would expect from a world-class airline!

Advertisement

Leave a Comment Leave a Comment
5 Comments
  1. #1 sam
    July 30, 2008 pm31 9:32 am

    What the f*** u r talking..

    I have already emirates logins.

    what special abt the skywards?? Emirates skyword its just waste of emirates airline.

    Post ReplyPost Reply
  2. #2 relieved
    July 31, 2008 pm31 3:55 am

    http://www.gulfnews.com/nation/General/10233228.html

    :-) phew!

    Post ReplyPost Reply
  3. #3 anonymous
    August 13, 2008 pm31 10:15 am

    haha!! :) These so-called new measures do not do away with personal info already obtained by using the hacked accounts

    Emirates should have thought of this sooner rather than later!! Never mind – Emirates is not alone!

    Post ReplyPost Reply
  4. #4 no bday
    October 28, 2008 pm31 1:04 pm

    the so-called “world class airline” has interestingly removed the birthday check..this opens them to brute force attacks once again. are they out of their minds? people can pickup a simple forms-based brute force scanner like fscan and get the account details. This is easier now since they still don’t have captcha implemented! Boooo on you Emirates!

    Post ReplyPost Reply
  5. #5 don
    July 1, 2009 pm31 12:22 pm

    @no bday: they have captcha in place now after you repeatedly put in wrong password

    Post ReplyPost Reply
Leave a Comment

Featured Video

Tag Cloud

Twitter updates

Twitter Updates

    follow me on Twitter
    (-) HatSecurity.com
    Copyright © 2010 (-) HatSecurity.com