Bishop Fox Security Advisory: Critical Security Vulnerabilities Discovered in Amtrak Mobile APIs

The following describes identified critical vulnerabilities in the Amtrak mobile APIs. These vulnerabilities were verified on the iOS mobile application version 3.1.7. However, these are not tied to the specific version of the mobile app because the vulnerability exists server-side.

Product Vendor

National Railroad Passenger Corporation

Product Description

The Amtrak mobile application acts a personal kiosk for mobile e-ticketing and guest rewards management. The application can be downloaded from the official iTunes store at https://itunes.apple.com/us/app/amtrak/id405074003.

Vulnerabilities List

Two vulnerabilities were identified within the Amtrak mobile APIs:

      • Authentication bypass
      • Sensitive information disclosure

These vulnerabilities are described in the following sections.

Impact 

The Amtrak mobile APIs are affected by vulnerabilities that can directly lead to the exposure of Personally Identifiable Information (PII) and partial payment data for at least 6 million Amtrak guest rewards members. The Amtrak customers’ exposed PII includes full names, addresses and phone numbers.

If an Amtrak passenger had any upcoming trips, all the trip information along with partial payment data — last four digits of the credit card, the expiration date, and billing address—could have also been exposed. Users’ date of birth and citizenship information would be vulnerable if a passenger had entered this information in their reservation as well.

Additionally, an attacker could cancel a victim’s ticket and “steal” the funds by harvesting the eVoucher code. Harvesting this information could also act as a stepping stone toward “stealing” a victim’s ticket using the PNR number, as described in the next finding, Sensitive Information Disclosure.

Authentication Bypass

It was identified that the following two API endpoints failed to enforce authentication, which led to the exposure of customer data. Since only a valid username was required for exploitation, this attack could be carried out by any unsophisticated attackers.

The team set up an intercepting proxy for the Amtrak mobile application and observed that it implemented SSL pinning. However, this additional form of protection was easily bypassed by dynamic instrumentation of known system-level methods that effectively disabled this check. The HTTP traffic was thus successfully intercepted.

Authentication Bypass – User Profile

The following request was made as an unauthenticated user (since the Authentication-Token header value was invalid) for obtaining a customer’s profile information:

Request

Response

Authentication Bypass – User Trips

The following endpoint disclosed a customer’s trip information (the Authentication-Token header value was invalid):

Note: The response differs slightly because this ticket was cancelled.

Request

Response

Using the PNR information from the above response, the following request resulted in exposure of the customer’s partial payment information:

Request

Response

Sensitive Information Disclosure

The assessment team identified that the ticket cancellation API offered two types of refund methods: an eVoucher or a refund to the original form of payment. The eVoucher was emailed to the email address on file for a user’s account. However, the API also returned the voucher information in the API response.

Thus, an attacker could chain the previous authentication bypass vulnerability with this information disclosure vulnerability to effectively “steal” funds from the victim. Successful exploitation of the Authentication Bypass vulnerability gave access to the customer’s PNR details. Using these details, a request to refund to an eVoucher was made, and since the response contained the eVoucher code, an attacker could legitimately use those funds on Amtrak.com. Although the web application attempted to verify ownership of the eVoucher by requiring the user to enter some related information, this attack could not be thwarted because the attacker would already have that information.

The following request shows the cancellation request that required the pnrNumber and amount details, all of which was available from the previous responses. An attacker could cancel a victim’s ticket and harvest the eVoucher code.

Request

Response

As highlighted above, the response contained the eVoucher code, which could now be successfully used to buy a new ticket by any person. The below screenshot shows an attacker applying an eVoucher via a guest account:

Solution

This issue has been resolved server-side. 

Timeline

      • 01/12/2019: Initial discovery
      • 01/14/2019: Contact with vendor
      • 01/15/2019: Vendor acknowledged vulnerabilities
      • 02/13/2019: Vendor patched their application server
      • 02/19/2019: Vulnerabilities publicly disclosed

Researcher