Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Check-in Links Sent by Several Airlines Expose Passenger Data

The check-in links sent to customers by several major airlines from around the world can allow hackers to obtain passengers’ personal information and possibly make changes to their booking, mobile security firm Wandera warned on Wednesday.

The check-in links sent to customers by several major airlines from around the world can allow hackers to obtain passengers’ personal information and possibly make changes to their booking, mobile security firm Wandera warned on Wednesday.

Members of Wandera’s threat research team noticed in December that the links sent by Air France to customers through the company’s e-ticketing system are not protected by any type of encryption. These links are typically sent by companies via email or SMS and they are used to initiate the check-in process.

Further analysis revealed that similarly unprotected links were sent out by other major airlines as well, including Southwest in the US, KLM and Transavia in the Netherlands, Vueling and Air Europe in Spain, Jetstar in Australia, and Thomas Cook in the UK.

The problem is that the check-in links sent by these airlines to their customers initiate a connection over HTTP instead of HTTPS.

The link itself, as Wandera VP of Product Michael Covington told SecurityWeek, includes a record locator, the origin of the flight and its destination, and, in some cases, the passenger’s name. Airlines use this data to identify each passenger and provide access to details of their reservation.

Airlines send unencrypted check-in links

An attacker who can intercept a user’s traffic – for example, by compromising a public Wi-Fi connection – can leverage these credentials to gain access to the targeted user’s online check-in page.

Depending on the airline, the check-in service can provide access to data such as email address, name, gender, passport information, nationality, phone number, partial payment card information, booking reference, flight details (flight number, seating data), and even the complete boarding pass. In some cases, the attacker could also make changes to the data provided by the legitimate user.

“Boarding procedures vary from airport to airport and can be more or less secure. The most concerning aspect of this vulnerability is that in some cases a hacker or criminal can print a victim’s boarding pass and could even attempt to board a scheduled flight,” Wandera researchers explained.

Advertisement. Scroll to continue reading.

The security firm pointed to a recent news report claiming that a man traveling from the UK to Poland boarded the wrong airplane and ended up in Malta. The incident raised concerns about boarding pass screening as the man had a ticket for Poland.

Wandera believes airlines should encrypt communications during the check-in process, they should implement additional authentication mechanisms for processes that involve access to personal information (especially if that information can be edited), and use one-time tokens for direct links delivered via email or SMS.

SecurityWeek has asked Wandera if it’s possible that a single e-ticketing platform is used by all the impacted airlines, but the security firm believes the weakness is not introduced by a single platform.

“Based on my assessment of the data and conversations I’ve had with the airlines, I’m fairly confident that this vulnerability impacts more than one platform,” Covington explained. “While a subset of the airlines may use a common platform, there are sufficient variations in how these systems communicate that I believe there to be several e-ticketing systems involved.”

“I suspect this boils down to an industry-wide decision to make online check-in easy; they’ve essentially prioritized usability over security. The entire problem goes away if they simply made the e-mail/SMS links one-time use,” he added.

Wandera notified each of the impacted airlines in December 2018 and January 2019, and said it had also shared its findings with government agencies in charge of airport security.

“Some have responded and indicated that they are investigating the issue,” Covington told SecurityWeek. “Unfortunately, we have not been able to verify that any fixes have been implemented. Our researchers have confirmed that some of the e-ticketing systems are still exposing data, so the problem has not been resolved.”

Other researchers revealed recently that a vulnerability affecting a reservation system provided by Spain-based Amadeus, which is used by hundreds of airlines worldwide, could have exposed the details of millions of passengers.

Related:Travel Booking Systems Expose User Data

Related: Pentagon Reveals Cyber Breach of Travel Records

Related: Travel Tech Giant Sabre Investigating Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.