The popular rail service Amtrak has been found to have flaws within version 3.1.7 of its iOS mobile application. If these vulnerabilities are exploited, over six million customer rewards could be breached. An override of authentication is possible because of the flaws within the mobile API’s endpoints, ultimately leading to theft of the data. PII such as full names, partial payment data, phone numbers, and addresses could be accessed. Researchers who were responsible for finding the flaws commented on the situation stating, “Successful exploitation of the Authentication Bypass vulnerability gave access to the customer’s PNR details. Using these details, a request to refund to an eVoucher was made, and since the response contained the eVoucher code, an attacker could legitimately use those funds on Amtrak.com. Although the web application attempted to verify ownership of the eVoucher by requiring the user to enter some related information, this attack could not be thwarted because the attacker would already have that information.” These codes are sent to customers contingent upon cancellation of a ticket and form an alternate option for a refund. The discovery of the issue has been forwarded to Amtrak and they claim to have resolved the issue.
Users with this mobile application installed should delete and re-download it and the updates should be applied. Passwords and usernames should also be changed to err on the side of caution.