In a new finding, a group of security researcher discovered that the vulnerabilities in the Point.com API are most likely exploited to expose customer data, steal customers’ “loyalty currency,” (such as miles) or the Points global administration accounts in order to acquire control over the entire program.
About the Vulnerabilities
The researchers discovered a vulnerability that involved a manipulation that enabled them to move between internal sections of the Points API infrastructure and then query it for incentive program client orders. 22 million order records, which include information like customer rewards account numbers, addresses, phone numbers, email addresses, and partially completed credit card numbers, have been found in the system. A hacker could not just dump the entire data store at once since Points.com set limits on how many responses the system could provide at once. However, the researchers point out that this would have made it possible for the threat actor to look up for certain people of interest or to gradually drain data fr
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: