A Flaw Found in E-Ticketing Systems Used By at Least Eight Airlines Could Be Exploited To Access Sensitive Information About Travelers

Eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera. From a news writeup: Researchers at security and data management company Wandera have uncovered a vulnerability affecting a number of e-ticketing systems that could allow third parties to view, and in some cases even change, a user's flight booking details, or print their boarding passes. The problem affects a number of major airlines including Southwest, Air France, KLM and Thomas Cook.

All of these have sent unencrypted check-in links to passengers. On clicking these links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make changes to their booking.

Not close to the biggest issue.

If someone has hacked into my e-mail, you think the fact that they can access my boarding pass for an upcoming flight is the biggest issue?

Sure, this person can potentially print my boarding pass or cancel my flight (by the way, there are WAY bigger vulnerabilities that allow this too that are known in the industry). Annoying, but not life threatening. They can see my real name (which, if they have my e-mail, they already know). They can SORT OF change flight info, but in general airlines prevent changing the name on a ticket after it's issued, so they can't "steal" my reservation. They almost certainly can't see my full credit card number.

Compare this "vulnerability" to the host of other malicious things someone with access to my e-mail can do! They can try to reset my password at every site I use that I don't have 2FA enabled for (for me, most of them, but a lot of people still log into their bank, credit card company, etc. without 2FA). They can see every person I correspond with and the details of the correspondance. Now THAT'S personally identifying information.

I get this is an attack vendor, and everyone in every space that does business on the internet should be aware of their possible attack vendors, and close doors where possible.

But come on. This? As the threat to be concerned about if someone's got my e-mail account? To paraphrase an old Scott Adams book re: failure to realize what's important "My house is on fire! Quick, call the post office and ask them to hold my mail!!"