Airline Fanatic

This seems like pretty basic stuff United is missing here.  According to TravelGlitch.com, anyone who buys a $100 e-certificate off ebay or through some other manner, then has unlimited access to other certificates by only changing the URL they use.

That sounds a bit complicated, but lets break it down and see how it works.  First, you buy a $100 e-certificate off ebay for around $10, and then are told to go to a specific URL to claim your reward.  Well part of that URL is your unique certificate number.  It turns out that the first 9 digits of the certificate always stay the same, and only the last 6 change.  All you have to do is start out at the number of the certificate you purchased and start counting up by one.  In 10 minutes of work TravelGlitch was able to find 5 valid certificate numbers that would have given them $500 in discounts.

From one perspective this is pretty awesome news, for a $10 investment you can get hundreds in discounts.  But think about all the people who actually own these certificates but have not yet used them, only to find that their number has already been used once they do actually try to use it. One would think United would have foreseen these issues and built a website secure enough to make sure certificates actually go to those who own them, rather than those who just play with their URL a bit.  United has to do something about this!

[Via TravelGlitch]