A security bug discovered in British Airways’ e-ticketing system has the potential to expose passengers’ data, including their flight booking details and personal information.
Researchers on Tuesday said that check-in links being sent by British Airways to their passengers via email are unencrypted – opening them up to an attack that could expose victims’ booking reference numbers, phone numbers, email addresses and more. Researchers told Threatpost they estimate that 2.5 million connections were made to the affected British Airways domains over the past six months, so the potential impact is “significant.”
“In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight,” said researchers with Wandera in a Tuesday analysis. “The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted.”
That means that someone snooping on the same public Wi-Fi network can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in. Making matters worse, several airports are notorious for their risky Wi-Fi networks.
From there, bad actors could either view the victim’s personal data, or manipulate their booking information, researchers said. Exposed information includes: email address, telephone numbers, BA membership numbers, first and last name, booking reference, itinerary, flight information like flight number, flight times, and seat number.
The flaw was discovered in July. Researchers said that after they discovered the flaw, they notified the airline of the vulnerable links.
“Our research team observed the leak still occurring this week so we believe it is still unfixed,” researchers told Threatpost. “However, British Airways has been in touch with us this morning so we are hopeful it will be addressed soon.”
According to British Airways, no passport or payment information can be accessed and there is no evidence to suggest any customer information has been taken.
“We take the security of our customers’ data very seriously,” a British Airways spokesperson told Threatpost. “Like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected.”
A similar check-in vulnerability was discovered in February, impacting eight major airlines. Those included: Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa, and Transavia. All airlines were notified and urged to take action to secure the check-in links.
Researchers stressed that airlines need to adopt encryption through the check-in process, as well as require explicit user authentication for all steps where PII is accessible and especially when it is editable.
British Airways has been plagued by cybersecurity scandals repeatedly over the past year.
In September 2018, British Airways said approximately 380,000 card payments were compromised after a security breach occurred on the company’s website and mobile app in August (that figure was later amended to increase up an additional 185,000 victims to the official tally). In July 2019, a record $230 million fine was proposed against British Airways for the airline’s 2018 data breach impacted 500,000 of the airline’s customers.
Other airlines have also been hit by security issues: In August, Air Canada said 20,000 mobile app users have had their passport information exposed and asked users of its Mobile+ app to reset their accounts after it detected “unusual login behavior” between Aug. 22-24. And, earlier in April, Delta said “a small subset” of customers were impacted by a data breach tied to malware planted on a third-party service.