A Flaw Found in E-Ticketing Systems Used By at Least Eight Airlines Could Be Exploited To Access Sensitive Information About Travelers

Eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera. From a news writeup: Researchers at security and data management company Wandera have uncovered a vulnerability affecting a number of e-ticketing systems that could allow third parties to view, and in some cases even change, a user's flight booking details, or print their boarding passes. The problem affects a number of major airlines including Southwest, Air France, KLM and Thomas Cook.

All of these have sent unencrypted check-in links to passengers. On clicking these links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make changes to their booking.

No

It is inaccurate. The scenario described is only possible in a test lab. In reality the system is much more sensible than the report implies so no.

Re: No

The link HAS to be "unencrypted" for the recipient to click on it.

This looks like an authorization big on their server... someone who has checked in for a reserved flight obviously shouldn't have permission to modify it -- that should require a fresh login with credentials.

That's true for many services...

[b0s0z0ku]

A PDF phone bill can often be used to change phone/internet service by calling the provider, since it has the account # + verification code. How many tickets actually get "stolen" or "altered" because of intercepted emails?

So what?

Eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails,

Intercepting a specific email in transit is going to be relatively difficult. You'd need to get somewhere between the two endpoints at the right time. It's certainly possible that some guy in a basement somewhere could do it, but it's a lot of effort for not much payoff.

Most email when read is encrypted these days, so that's somewhat difficult too. That leaves hacking into someones email account, which is the easiest target. But then... what can you do? A lot of effort just to know someone's going to Aruba, or change their generally non-refundable ticket?

Getting into someones email normally means you can get into all the other accounts anyway through password resets. That means banks, credit card accounts, etc. ThatGetting someones boarding pass isn't going to get you much when you show up for the same flight as the victim, and they wonder why you're sitting in their seat.

Not close to the biggest issue.

If someone has hacked into my e-mail, you think the fact that they can access my boarding pass for an upcoming flight is the biggest issue?

Sure, this person can potentially print my boarding pass or cancel my flight (by the way, there are WAY bigger vulnerabilities that allow this too that are known in the industry). Annoying, but not life threatening. They can see my real name (which, if they have my e-mail, they already know). They can SORT OF change flight info, but in general airlines prevent changing the name on a ticket after it's issued, so they can't "steal" my reservation. They almost certainly can't see my full credit card number.

Compare this "vulnerability" to the host of other malicious things someone with access to my e-mail can do! They can try to reset my password at every site I use that I don't have 2FA enabled for (for me, most of them, but a lot of people still log into their bank, credit card company, etc. without 2FA). They can see every person I correspond with and the details of the correspondance. Now THAT'S personally identifying information.

I get this is an attack vendor, and everyone in every space that does business on the internet should be aware of their possible attack vendors, and close doors where possible.

But come on. This? As the threat to be concerned about if someone's got my e-mail account? To paraphrase an old Scott Adams book re: failure to realize what's important "My house is on fire! Quick, call the post office and ask them to hold my mail!!"

Re:Not close to the biggest issue.

I work in the industry, one of our clients is affected by this, and its a pretty huge deal to them.
Probably not for the majority of users, but for corporations and business? They are asking what the plan is to mitigate this.

Re:Not close to the biggest issue.

Really? The issue presented here is that they send "magic links" that work without a password. The fix is to not do that. Not a hard fix, and doesn't really need any major reworking of existing infrastructure - just make them hit a login page.

There are a lot of terrible, awful, no good, very very bad security issues that are widespread in the travel industry that are both widespread and way easier to exploit than this (I work in the industry too).

Oy vey!

[FilmedInNoir]

They'll find out I requested the Kosher meal.

Re:Oy vey!

I had the fish.

Not a Bug - NSA Feature

Duh..

You think this is a bug, you're wrong. It's a feature that allows government to spy without a warrant.

Gluten

I'm sensitive to gluten but I don't want anyone to exploit that.

This is hardly a flaw

Possibly a security risk.
Convenience typically always comes with risk.
In this case, the risk is absolutely worth the convenience.

If your email gets hacked tidying up access to airline sites would be somewhere near the bottom of the list of important things to do.

Bottom Line

Lets make sure they fix this by de-listing them as a TSA trusted entity till it is fixed; effectively suspending service.

Security in transportation is not an option, and companies that take it lightly, or perform the bare minimum, should be held accountable and made to pay with either fines or lost revenue.

Re:Bottom Line

[bws111]

How, exactly, does this affect 'security in transportation'?

Don't need e-mail - use discarded Boarding Pass

You'd be surprised what you can do with a discarded boarding pass and they are pretty easy to find throughout an airport terminal.

https://www.theguardian.com/business/2006/may/03/theairlineindustry.idcards

We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.