Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/6/2019
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Some Airline Flight Online Check-in Links Expose Passenger Data

Several airlines send unencrypted links to passengers for flight check-in that could be intercepted by attackers to view passenger and other data, researchers found.

Several major airlines are putting passenger data at risk by sending unencrypted links for performing online check-ins to their flights.

Opportunistic attackers can intercept the links to view and, in some cases, to change a passenger's flight booking details and to print their boarding passes, according to security vendor Wandera.

Data at risk includes passenger names, boarding pass and flight details, passport and travel document data, email addresses, phone numbers, and other information.

Researchers from Wandera recently investigated e-ticketing systems in use by over 40 global airlines in the US, Europe, and Asia Pacific region. The company initiated the investigation after observing one airline sending passenger details belonging to a company customer in unencrypted fashion.

Wandera's sleuthing showed multiple airlines are sending insecure links for passenger check-in. The links typically direct passengers to an airline site where they are logged-in automatically to check-in for their flight and to make changes to their booking if needed. 

In a report Wednesday, Wandera listed eight airlines in total that it says are putting different types of passenger data at risk via unencrypted links. The list only includes airlines that Wandera says had an opportunity to respond after being notified about the vulnerability.

Among them are Southwest in the US; Air France, KLM, Transavia and Vueling in Europe; and Jetstar in Australia.

In an emailed statement, a Jetstar spokesman said the company has no evidence of customers' booking details or data being misused by unauthorized parties via the booking link. "To ensure our customers’ information remains protected we have multiple layers of security in place and are continuously implementing further cyber safeguards for emails, itineraries and our systems," the statement noted. "Sensitive customer information such as payment details [is] not accessible through a customer’s booking link."

A spokesman from Transavia, a part of the Air France-KLM group said an email the company sends to customers before their trip contains an unencrypted link to the check-in process on its website. "However, fraudulent use of this link would under no circumstances allow access to data other than that of the current reservation," the spokesman said in an emailed statement.

Customer profile information, including sensitive information such as bank details, is fully protected and Transavia databases are monitored in real time to identify and prevent any fraudulent access, the statement said. "IT teams are working to further enhance security on the link sent to customers as part of the check-in process. This will be effective very soon," Transavia said.  Air France and KLM have issued similar statements, according to the spokesman.

Southwest and Vueling did not respond to a request for comment.

Wi-Fi Attack

The data at risk differs by airline, with some e-ticketing systems providing access to a lot more data than others. One airline's check-in link (identified in Wandera's report simply as Airline 8) for instance provides access only to the passenger's last name and booking reference number. Links from other carriers provide access to full names, phone numbers, seat assignments, passport details, nationality, gender, date of birth, and full home address.

In order to intercept a vulnerable check-in link, an attacker would need to be on the same Wi-Fi network at as the potential victim. Even so, Wandera's vice president of product management Michael Covington, believes the vulnerability is significant. "The threat is a real problem for travelers because of the amount of sensitive information that is inadequately protected from hackers," he says.  

An attacker who manages to intercept a link can impersonate the passenger at anytime — before or after the actual check-in process begins — to make changes on the traveler's account or to obtain a valid boarding pass, he says.

In addition to passenger details, an attacker with access to a unencrypted check-in link would in some cases potentially be to view information on all the companions associated with a traveler on the same booking, including family and work colleagues. "This isn't just about changing a passenger's seating assignment, it's about disrupting their entire booking," Covington says.

Most exploits of this vulnerability will likely be opportunistic because it requires an attacker to be on he same network as the victim, he says. But targeted attacks cannot be ruled out: "Our research does show that most people have a fairly consistent pattern they follow each day," he says. "Public Wi-Fi access points in cities, airports, and coffee shops make it fairly easy to listen in on the network sessions of a targeted individual."

Covington says the response for the most part has been "minimal" from airlines Wandera has notified about the issue. Some, including Southwest and Jetstar, have asked for additional details and confirmed that fixes are in progress. Wandera has also notified the TSA and the European Aviation Safety Agency, but both have indicated that this issue is outside their jurisdiction, Covington says.

He theorizes the reason why several airlines are using unencrypted links is because they want to make online check-in easy. "The entire problem goes away if they simply made the e-mail/SMS links one-time use" or encrypt the links, he notes.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.