Attacks/Breaches

2/6/2019
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Some Airline Flight Online Check-in Links Expose Passenger Data

Several airlines send unencrypted links to passengers for flight check-in that could be intercepted by attackers to view passenger and other data, researchers found.

Several major airlines are putting passenger data at risk by sending unencrypted links for performing online check-ins to their flights.

Opportunistic attackers can intercept the links to view and, in some cases, to change a passenger's flight booking details and to print their boarding passes, according to security vendor Wandera.

Data at risk includes passenger names, boarding pass and flight details, passport and travel document data, email addresses, phone numbers, and other information.

Researchers from Wandera recently investigated e-ticketing systems in use by over 40 global airlines in the US, Europe, and Asia Pacific region. The company initiated the investigation after observing one airline sending passenger details belonging to a company customer in unencrypted fashion.

Wandera's sleuthing showed multiple airlines are sending insecure links for passenger check-in. The links typically direct passengers to an airline site where they are logged-in automatically to check-in for their flight and to make changes to their booking if needed. 

In a report Wednesday, Wandera listed eight airlines in total that it says are putting different types of passenger data at risk via unencrypted links. The list only includes airlines that Wandera says had an opportunity to respond after being notified about the vulnerability.

Among them are Southwest in the US; Air France, KLM, Transavia and Vueling in Europe; and Jetstar in Australia.

In an emailed statement, a Jetstar spokesman said the company has no evidence of customers' booking details or data being misused by unauthorized parties via the booking link. "To ensure our customers’ information remains protected we have multiple layers of security in place and are continuously implementing further cyber safeguards for emails, itineraries and our systems," the statement noted. "Sensitive customer information such as payment details [is] not accessible through a customer’s booking link."

A spokesman from Transavia, a part of the Air France-KLM group said an email the company sends to customers before their trip contains an unencrypted link to the check-in process on its website. "However, fraudulent use of this link would under no circumstances allow access to data other than that of the current reservation," the spokesman said in an emailed statement.

Customer profile information, including sensitive information such as bank details, is fully protected and Transavia databases are monitored in real time to identify and prevent any fraudulent access, the statement said. "IT teams are working to further enhance security on the link sent to customers as part of the check-in process. This will be effective very soon," Transavia said.  Air France and KLM have issued similar statements, according to the spokesman.

Southwest and Vueling did not respond to a request for comment.

Wi-Fi Attack

The data at risk differs by airline, with some e-ticketing systems providing access to a lot more data than others. One airline's check-in link (identified in Wandera's report simply as Airline 8) for instance provides access only to the passenger's last name and booking reference number. Links from other carriers provide access to full names, phone numbers, seat assignments, passport details, nationality, gender, date of birth, and full home address.

In order to intercept a vulnerable check-in link, an attacker would need to be on the same Wi-Fi network at as the potential victim. Even so, Wandera's vice president of product management Michael Covington, believes the vulnerability is significant. "The threat is a real problem for travelers because of the amount of sensitive information that is inadequately protected from hackers," he says.  

An attacker who manages to intercept a link can impersonate the passenger at anytime — before or after the actual check-in process begins — to make changes on the traveler's account or to obtain a valid boarding pass, he says.

In addition to passenger details, an attacker with access to a unencrypted check-in link would in some cases potentially be to view information on all the companions associated with a traveler on the same booking, including family and work colleagues. "This isn't just about changing a passenger's seating assignment, it's about disrupting their entire booking," Covington says.

Most exploits of this vulnerability will likely be opportunistic because it requires an attacker to be on he same network as the victim, he says. But targeted attacks cannot be ruled out: "Our research does show that most people have a fairly consistent pattern they follow each day," he says. "Public Wi-Fi access points in cities, airports, and coffee shops make it fairly easy to listen in on the network sessions of a targeted individual."

Covington says the response for the most part has been "minimal" from airlines Wandera has notified about the issue. Some, including Southwest and Jetstar, have asked for additional details and confirmed that fixes are in progress. Wandera has also notified the TSA and the European Aviation Safety Agency, but both have indicated that this issue is outside their jurisdiction, Covington says.

He theorizes the reason why several airlines are using unencrypted links is because they want to make online check-in easy. "The entire problem goes away if they simply made the e-mail/SMS links one-time use" or encrypt the links, he notes.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3474
PUBLISHED: 2019-02-20
A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-3475
PUBLISHED: 2019-02-20
A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-10030
PUBLISHED: 2019-02-20
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10030
PUBLISHED: 2019-02-20
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anoth...
CVE-2019-10030
PUBLISHED: 2019-02-20
A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a message.