Greyhound Lines Inc. (owned by FirstGroup America Inc. – a subsidiary of FirstGroup Plc (UK))
Greyhound Lines Inc. (U.S.) provides intercity bus service across North America. It provides a personal ticketing kiosk services via its web and mobile applications for Greyhound customers. These applications help customers manage e-ticketing, mobile check-in, and the program.
Critical vulnerabilities were identified in the Greyhound APIs primarily due to insufficient authentication controls. Exploitation of these can result in the exposure of personally identifiable information (PII) for the customers who had joined the Road Rewards program. Additionally, an attacker can also remotely exploit an internet-exposed web service that hosts account information for Greyhound customers as well as other sensitive information. An attacker could use this vulnerability to gain access unrestricted access and completely take over user accounts belonging to affected members.
As the time of this disclosure, this vulnerability affects at least a million members.
Impact
The impact of these discovered vulnerabilities is as follows. When exploited, attackers can perform the following:
Priyank Nigam, Senior Security Analyst at Bishop Fox
8240 S. Kyrene Rd.
Suite A113
Tempe, AZ
85284
United States