Researchers have discovered that multiple airline e-ticketing systems do not encrypt check-in links. The security faux pas could allow bad actors on the same network as the victim to view – and in some cases even change – their flight booking details or boarding passes.
Security researchers at Wandera said that eight airlines have been sending some unencrypted check-in links through their e-ticketing systems: Southwest, Air France, KLM, Vueling, Jetstar (low-cost airline in Australia), Thomas Cook, Transavia, and Air Europa.
“Our threat researchers discovered that these airlines have sent unencrypted check-in links to passengers,” Liarna La Porta, with Wandera, said on Wednesday. “Upon clicking these unencrypted links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make certain changes to their booking and print off the boarding pass.”
Essentially the flaws allow a hacker on the same network as the passenger to easily intercept a check-in link request, use it themselves and then gain access to the passenger’s online check-in. Making matters worse, several airports are notorious for their risky Wi-Fi networks.
A potential hacker could then view all of the personal data associated with the airline booking – including full name, confirmation number, and frequent traveler number. Using these credentials, the attacker could then visit the e-ticketing system before the flight takes off and access all the personal identifiable information (PII) associated with the airline booking, researchers said.
That PII includes: email, name, document number (passport ID) and expiration date, flight numbers and times, boarding passes and even seat assignments.
In some cases, potential bad actors could also add or remove extra bags, change allocated seats and change the mobile phone number or email associated with the booking.
Varying airlines were leaking various information through unencrypted systems – researchers included an appendix detailing “anonymized details” of what data was leaked by different airlines.
Wandera researchers said that they have notified all impacted airlines – as well as “relevant government agencies” – of the security issue after identifying the flaws in early December 2018.
“Wandera has a strict responsible disclosure process that we follow in situations like this,” researchers said. “Once the affected vendor is notified, we will allow up to four weeks for the vendor to provide a patch or other relevant fix before we disclose the vulnerability to alert the public.”
Wandera has not been able to verify that any fixes have been implemented, a spokesperson told Threatpost.
Threatpost reached out to all airlines regarding the flaws but has not yet heard back from all eight.
However, a spokeswoman for Thomas Cook Airlines said, “We take the security of our customers’ data very seriously and have investigated this matter as a priority. We have looked into the questions raised and have taken immediate action to further increase the security of our customer data.”
A Transavia spokesperson stressed to Threatpost that there has been no hacking of their databases.
“The Transavia databases are monitored in real time to identify and prevent any fraudulent access,” the spokesperson said. “An e-mail sent to Transavia customers before their trip contains an unencrypted link to the check-in process on our website. However, fraudulent use of this link would under no circumstances allow access to data other than that of the current reservation. Customer profile information, including sensitive information such as bank details, is fully protected.”
IT teams are working to further enhance security on the link sent to customers as part of the check-in process, the Transavia spokesperson said.
Recent years have seen a slew of security issues targeting airlines, from phishing campaigns to malware attacks aimed at harvesting credentials from airline customers.
French airplane and military aircraft behemoth Airbus SE in January was the latest victim of a cyberattack leading to a data breach, with an incident detected on its “commercial aircraft business” information systems.
In September, British Airways said approximately 380,000 card payments were compromised after a security breach occurred on the company’s website and mobile app in August. In August, Air Canada said 20,000 mobile app users have had their passport information exposed and asked users of its Mobile+ app to reset their accounts after it detected “unusual login behavior” between Aug. 22-24. And, earlier in April, Delta said “a small subset” of customers were impacted by a data breach tied to malware planted on a third-party service.