Connect with us

Hi, what are you looking for?


Data Protection

Check-in Links Sent by Several Airlines Expose Passenger Data

The check-in links sent to customers by several major airlines from around the world can allow hackers to obtain passengers’ personal information and possibly make changes to their booking, mobile security firm Wandera warned on Wednesday.

The check-in links sent to customers by several major airlines from around the world can allow hackers to obtain passengers’ personal information and possibly make changes to their booking, mobile security firm Wandera warned on Wednesday.

Members of Wandera’s threat research team noticed in December that the links sent by Air France to customers through the company’s e-ticketing system are not protected by any type of encryption. These links are typically sent by companies via email or SMS and they are used to initiate the check-in process.

Further analysis revealed that similarly unprotected links were sent out by other major airlines as well, including Southwest in the US, KLM and Transavia in the Netherlands, Vueling and Air Europe in Spain, Jetstar in Australia, and Thomas Cook in the UK.

The problem is that the check-in links sent by these airlines to their customers initiate a connection over HTTP instead of HTTPS.

The link itself, as Wandera VP of Product Michael Covington told SecurityWeek, includes a record locator, the origin of the flight and its destination, and, in some cases, the passenger’s name. Airlines use this data to identify each passenger and provide access to details of their reservation.

Airlines send unencrypted check-in links

An attacker who can intercept a user’s traffic – for example, by compromising a public Wi-Fi connection – can leverage these credentials to gain access to the targeted user’s online check-in page.

Depending on the airline, the check-in service can provide access to data such as email address, name, gender, passport information, nationality, phone number, partial payment card information, booking reference, flight details (flight number, seating data), and even the complete boarding pass. In some cases, the attacker could also make changes to the data provided by the legitimate user.

Advertisement. Scroll to continue reading.

“Boarding procedures vary from airport to airport and can be more or less secure. The most concerning aspect of this vulnerability is that in some cases a hacker or criminal can print a victim’s boarding pass and could even attempt to board a scheduled flight,” Wandera researchers explained.

The security firm pointed to a recent news report claiming that a man traveling from the UK to Poland boarded the wrong airplane and ended up in Malta. The incident raised concerns about boarding pass screening as the man had a ticket for Poland.

Wandera believes airlines should encrypt communications during the check-in process, they should implement additional authentication mechanisms for processes that involve access to personal information (especially if that information can be edited), and use one-time tokens for direct links delivered via email or SMS.

SecurityWeek has asked Wandera if it’s possible that a single e-ticketing platform is used by all the impacted airlines, but the security firm believes the weakness is not introduced by a single platform.

“Based on my assessment of the data and conversations I’ve had with the airlines, I’m fairly confident that this vulnerability impacts more than one platform,” Covington explained. “While a subset of the airlines may use a common platform, there are sufficient variations in how these systems communicate that I believe there to be several e-ticketing systems involved.”

“I suspect this boils down to an industry-wide decision to make online check-in easy; they’ve essentially prioritized usability over security. The entire problem goes away if they simply made the e-mail/SMS links one-time use,” he added.

Wandera notified each of the impacted airlines in December 2018 and January 2019, and said it had also shared its findings with government agencies in charge of airport security.

“Some have responded and indicated that they are investigating the issue,” Covington told SecurityWeek. “Unfortunately, we have not been able to verify that any fixes have been implemented. Our researchers have confirmed that some of the e-ticketing systems are still exposing data, so the problem has not been resolved.”

Other researchers revealed recently that a vulnerability affecting a reservation system provided by Spain-based Amadeus, which is used by hundreds of airlines worldwide, could have exposed the details of millions of passengers.

Related:Travel Booking Systems Expose User Data

Related: Pentagon Reveals Cyber Breach of Travel Records

Related: Travel Tech Giant Sabre Investigating Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.