Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/6/2019
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Some Airline Flight Online Check-in Links Expose Passenger Data

Several airlines send unencrypted links to passengers for flight check-in that could be intercepted by attackers to view passenger and other data, researchers found.

Several major airlines are putting passenger data at risk by sending unencrypted links for performing online check-ins to their flights.

Opportunistic attackers can intercept the links to view and, in some cases, to change a passenger's flight booking details and to print their boarding passes, according to security vendor Wandera.

Data at risk includes passenger names, boarding pass and flight details, passport and travel document data, email addresses, phone numbers, and other information.

Researchers from Wandera recently investigated e-ticketing systems in use by over 40 global airlines in the US, Europe, and Asia Pacific region. The company initiated the investigation after observing one airline sending passenger details belonging to a company customer in unencrypted fashion.

Wandera's sleuthing showed multiple airlines are sending insecure links for passenger check-in. The links typically direct passengers to an airline site where they are logged-in automatically to check-in for their flight and to make changes to their booking if needed. 

In a report Wednesday, Wandera listed eight airlines in total that it says are putting different types of passenger data at risk via unencrypted links. The list only includes airlines that Wandera says had an opportunity to respond after being notified about the vulnerability.

Among them are Southwest in the US; Air France, KLM, Transavia and Vueling in Europe; and Jetstar in Australia.

In an emailed statement, a Jetstar spokesman said the company has no evidence of customers' booking details or data being misused by unauthorized parties via the booking link. "To ensure our customers’ information remains protected we have multiple layers of security in place and are continuously implementing further cyber safeguards for emails, itineraries and our systems," the statement noted. "Sensitive customer information such as payment details [is] not accessible through a customer’s booking link."

A spokesman from Transavia, a part of the Air France-KLM group said an email the company sends to customers before their trip contains an unencrypted link to the check-in process on its website. "However, fraudulent use of this link would under no circumstances allow access to data other than that of the current reservation," the spokesman said in an emailed statement.

Customer profile information, including sensitive information such as bank details, is fully protected and Transavia databases are monitored in real time to identify and prevent any fraudulent access, the statement said. "IT teams are working to further enhance security on the link sent to customers as part of the check-in process. This will be effective very soon," Transavia said.  Air France and KLM have issued similar statements, according to the spokesman.

Southwest and Vueling did not respond to a request for comment.

Wi-Fi Attack

The data at risk differs by airline, with some e-ticketing systems providing access to a lot more data than others. One airline's check-in link (identified in Wandera's report simply as Airline 8) for instance provides access only to the passenger's last name and booking reference number. Links from other carriers provide access to full names, phone numbers, seat assignments, passport details, nationality, gender, date of birth, and full home address.

In order to intercept a vulnerable check-in link, an attacker would need to be on the same Wi-Fi network at as the potential victim. Even so, Wandera's vice president of product management Michael Covington, believes the vulnerability is significant. "The threat is a real problem for travelers because of the amount of sensitive information that is inadequately protected from hackers," he says.  

An attacker who manages to intercept a link can impersonate the passenger at anytime — before or after the actual check-in process begins — to make changes on the traveler's account or to obtain a valid boarding pass, he says.

In addition to passenger details, an attacker with access to a unencrypted check-in link would in some cases potentially be to view information on all the companions associated with a traveler on the same booking, including family and work colleagues. "This isn't just about changing a passenger's seating assignment, it's about disrupting their entire booking," Covington says.

Most exploits of this vulnerability will likely be opportunistic because it requires an attacker to be on he same network as the victim, he says. But targeted attacks cannot be ruled out: "Our research does show that most people have a fairly consistent pattern they follow each day," he says. "Public Wi-Fi access points in cities, airports, and coffee shops make it fairly easy to listen in on the network sessions of a targeted individual."

Covington says the response for the most part has been "minimal" from airlines Wandera has notified about the issue. Some, including Southwest and Jetstar, have asked for additional details and confirmed that fixes are in progress. Wandera has also notified the TSA and the European Aviation Safety Agency, but both have indicated that this issue is outside their jurisdiction, Covington says.

He theorizes the reason why several airlines are using unencrypted links is because they want to make online check-in easy. "The entire problem goes away if they simply made the e-mail/SMS links one-time use" or encrypt the links, he notes.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.