Israeli researcher Yosi Dahan told United Airlines that he had found a security flaw in its website. He thought the company would be quick to act. He was surprised when, two weeks later he had still not received a response from the company.
Dahan, an “ethical hacker,” who find security holes at a company and tells them about it. He was especially shocked, because United Airlines had recently launched a program, which rewards security researchers with air miles for finding security flaws in its network.
“It was around two weeks ago and I didn’t get any reply from the bug bounty program from the dedicated email address and I decided to reach out to employees from United using LinkedIn,” Dahan, who runs his own research firm called Turrisio Cybersecurity, told CNBC by phone.
“I told them that I found the vulnerability, but I didn’t get any response so I decided to escalate this issue to the media.”
The security flaw discovered by Dahan enabled hackers to write a code, that would block many of United Airlines MileagePlus customers’ accounts. Dahan found a way to spam a person’s account with incorrect passwords, and lock them out.
Last week, one of Google’s security chiefs told CNBC that, companies should “respect” hackers that break into their networks and pay them. Dahan’s experience highlights the stark reality of “white hat hacking.” Some companies still find it difficult to embrace unknown researchers, finding flaws in their networks.
After CNBC contacted United Airlines, the company fixed the security hole. “We are committed to providing our customers secure access to their accounts, and we fixed this issue. We have responded to Mr Dahan, and will continue to thoroughly review all submissions through and in accordance with the Bug Bounty program,” the company told CNBC by email.
Finding that helpful hacker
Cyberattacks are one of the biggest threats facing businesses. The cost of data breaches at companies is expected to hit $2.1 trillion globally by 2019, according to Juniper Research. While some firms are spending more on shoring up their defenses internally, independent researchers can often give another perspective on security flaws.
In a bid to make companies more comfortable with the idea, some Silicon Valley giants have official programs for hackers to inform them about security holes, and get paid for their work.
“One time, I found a bug. I tried to report it (but) they replied that I was trying to hack or get into their system. I had no intention to do bad, but they said I was trying to infiltrate the company,” said Allan Jay Dumanhug, Security researcher.
A recently launched platform called, HackerOne was created by researchers, who hailed from Facebook, Microsoft, and Google. The service allows independent researchers to upload the vulnerabilities they find to the platform, and receive money from companies using the website.
People using the platform earn an average of $650 per flaw that is found, according to Alex Rice, chief technology officer at HackerOne.
Some companies may be wary of ethical hackers, given these people work as freelancers under no contract. This can potentially causing issues around confidentiality and whether the company’s security flaws will remain a secret.
No ‘bad intentions’
Dahan’s experience with United Airlines does not appear to be a one-off. Another security researcher, Allan Jay Dumanhug, said he had had a similar experience with a company he did not wish to name, in order to keep his correspondence with the firm confidential in case he reached out to it again.
“One time, I found a bug. I tried to report it (but) they replied that I was trying to hack or get into their system. I had no intention to do bad, but they said I was trying to infiltrate the company,” the 19-year-old security researcher in the Philippines told CNBC by phone.
Dumanhug started hacking for personal gain, when he was just 14 years of age. He quickly saw that money could be made from ethical hacking. Since he began, he said he has made around $10,000 from highlighting security flaws to companies.
Putting off good hackers?
Tech industry analysts are urging companies to start talking to hackers, in an attempt to bolster their security, and help safeguard their businesses.
“Security is a very challenging problem. The companies that are participating in these programs start to acknowledge that and start to understand that, despite all the things that they’re doing internally, you want to prepare for that inevitable circumstance when one of those security holes makes it out into the public,” Rice told CNBC earlier this year.
Despite an increasing number of companies trying to embrace “white hat hackers,” the companies that are resistant, could put researchers off coming to tell them about serious vulnerabilities.
“I don’t think I would like them (United Airlines) again because their response was really slow and in this case I didn’t get a response,” Dahan said.
Image Credit: CC by zodman