loader gif

Critical vulnerabilities spotted in the Amtrak mobile application

Critical vulnerabilities spotted in the Amtrak mobile application
  • These flaws were present in the iOS application version 3.1.7, on the server side.
  • It is estimated that the vulnerabilities if exploited, lead to a data breach of at least 6 million Amtrak guest rewards.

The mobile application of Amtrak, the popular railroad service provider in the US, was found to have serious security vulnerabilities that could have led to a massive data breach of its customers.

A research study carried out by security consulting firm Bishop Fox revealed that the vulnerabilities existed in the mobile APIs, allowing attackers to override authentication following which, sensitive data could be stolen.

User data at risk

Sensitive data which was at risk included Personally Identifiable Information (PII) such as full names, addresses, and phone numbers, along with partial payment data.

The researchers discovered that two API endpoints in the app backend did not enforce authentication. This could allow even script kiddies to exploit the data with just usernames.

eVouchers could be stolen

Furthermore, the report also showed how the team bypassed the SSL pinning implemented in the iOS application. Once this was done, it was possible to steal customer data from Amtrak’s database.

“Successful exploitation of the Authentication Bypass vulnerability gave access to the customer’s PNR details. Using these details, a request to refund to an eVoucher was made, and since the response contained the eVoucher code, an attacker could legitimately use those funds on Amtrak.com. Although the web application attempted to verify ownership of the eVoucher by requiring the user to enter some related information, this attack could not be thwarted because the attacker would already have that information,” indicated the report.

The eVoucher code is mailed to Amtrak users in the case of ticket cancellation. It forms the other option for payment refunds.

Bishop Fox has notified the railroad company of these server-side vulnerabilities. The issue has been resolved.

loader gif