[sangeeth96]

I've always felt most such rewards program portals and apps were more hack-jobs than serious applications and thus, would be riddled with issues like these. I'm from India and I see many of these sites come and go all the time but not a single one has inspired confidence in me about keeping my data safe. For example, even the topmost cards here (HDFC Diners/Infinia) have a shoddy website, mostly a reskinned version of their generic rewards platform/partner.

And I'm not just hand-waving here cause there are many forums that discuss taking advantage of their bad implementations to maximize returns. Even when one eventually gets patched, another springs up.

[grecy]

> I've always felt most such rewards program portals and apps were more hack-jobs than serious applications

It’s easy to figure out which way any system goes. Does it generate revenue or cost money? The former will be a serious application, the latter a hack job

[kredd]

Just did a mental test of this theory through past projects I’ve consulted for, and it seemed the opposite. I’ve seen hack jobs generating about $1M/day, as a second product of the company. And seen very mature serious applications barely breaking even.

[chatmasta]

This makes sense because a hack job that generates money is more likely to stay online than a hack job that makes no money.

[chatmasta]

The whole point of these rewards programs is to share your data (bookings, itineraries, employment, email, travel class, etc.) with as many partners as possible. So at the end of the day, a data leak is only marginally worse than the expected behavior.

(Obviously this doesn’t lessen the impact of vulnerabilities that allow malicious actors to charge you, steal your points, amend your bookings, or access your travel data in real time. But for read-only queries, an attacker won’t get much more access than a paying partner of the program could get.)