Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/6/2019
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Some Airline Flight Online Check-in Links Expose Passenger Data

Several airlines send unencrypted links to passengers for flight check-in that could be intercepted by attackers to view passenger and other data, researchers found.

Several major airlines are putting passenger data at risk by sending unencrypted links for performing online check-ins to their flights.

Opportunistic attackers can intercept the links to view and, in some cases, to change a passenger's flight booking details and to print their boarding passes, according to security vendor Wandera.

Data at risk includes passenger names, boarding pass and flight details, passport and travel document data, email addresses, phone numbers, and other information.

Researchers from Wandera recently investigated e-ticketing systems in use by over 40 global airlines in the US, Europe, and Asia Pacific region. The company initiated the investigation after observing one airline sending passenger details belonging to a company customer in unencrypted fashion.

Wandera's sleuthing showed multiple airlines are sending insecure links for passenger check-in. The links typically direct passengers to an airline site where they are logged-in automatically to check-in for their flight and to make changes to their booking if needed. 

In a report Wednesday, Wandera listed eight airlines in total that it says are putting different types of passenger data at risk via unencrypted links. The list only includes airlines that Wandera says had an opportunity to respond after being notified about the vulnerability.

Among them are Southwest in the US; Air France, KLM, Transavia and Vueling in Europe; and Jetstar in Australia.

In an emailed statement, a Jetstar spokesman said the company has no evidence of customers' booking details or data being misused by unauthorized parties via the booking link. "To ensure our customers’ information remains protected we have multiple layers of security in place and are continuously implementing further cyber safeguards for emails, itineraries and our systems," the statement noted. "Sensitive customer information such as payment details [is] not accessible through a customer’s booking link."

A spokesman from Transavia, a part of the Air France-KLM group said an email the company sends to customers before their trip contains an unencrypted link to the check-in process on its website. "However, fraudulent use of this link would under no circumstances allow access to data other than that of the current reservation," the spokesman said in an emailed statement.

Customer profile information, including sensitive information such as bank details, is fully protected and Transavia databases are monitored in real time to identify and prevent any fraudulent access, the statement said. "IT teams are working to further enhance security on the link sent to customers as part of the check-in process. This will be effective very soon," Transavia said.  Air France and KLM have issued similar statements, according to the spokesman.

Southwest and Vueling did not respond to a request for comment.

Wi-Fi Attack

The data at risk differs by airline, with some e-ticketing systems providing access to a lot more data than others. One airline's check-in link (identified in Wandera's report simply as Airline 8) for instance provides access only to the passenger's last name and booking reference number. Links from other carriers provide access to full names, phone numbers, seat assignments, passport details, nationality, gender, date of birth, and full home address.

In order to intercept a vulnerable check-in link, an attacker would need to be on the same Wi-Fi network at as the potential victim. Even so, Wandera's vice president of product management Michael Covington, believes the vulnerability is significant. "The threat is a real problem for travelers because of the amount of sensitive information that is inadequately protected from hackers," he says.  

An attacker who manages to intercept a link can impersonate the passenger at anytime — before or after the actual check-in process begins — to make changes on the traveler's account or to obtain a valid boarding pass, he says.

In addition to passenger details, an attacker with access to a unencrypted check-in link would in some cases potentially be to view information on all the companions associated with a traveler on the same booking, including family and work colleagues. "This isn't just about changing a passenger's seating assignment, it's about disrupting their entire booking," Covington says.

Most exploits of this vulnerability will likely be opportunistic because it requires an attacker to be on he same network as the victim, he says. But targeted attacks cannot be ruled out: "Our research does show that most people have a fairly consistent pattern they follow each day," he says. "Public Wi-Fi access points in cities, airports, and coffee shops make it fairly easy to listen in on the network sessions of a targeted individual."

Covington says the response for the most part has been "minimal" from airlines Wandera has notified about the issue. Some, including Southwest and Jetstar, have asked for additional details and confirmed that fixes are in progress. Wandera has also notified the TSA and the European Aviation Safety Agency, but both have indicated that this issue is outside their jurisdiction, Covington says.

He theorizes the reason why several airlines are using unencrypted links is because they want to make online check-in easy. "The entire problem goes away if they simply made the e-mail/SMS links one-time use" or encrypt the links, he notes.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...