With the benefits of technology also come many risks, and it is not a secret that the airlines are not exempt from security problems. And now, a serious vulnerability that could have the potential to expose sensitive information of millions of passengers, including their personal data and even your passport number, in addition to allowing access to their flight data.
In effect, a team of researchers has discovered that the systems of electronic tickets, (known in English as e-tickets) from several airlines, could give way to a serious security risk, because the emails that are sent to passengers do not have a encryption for their links.
This omission could allow hackers who are on the same network of the user (for example, a public network, Wifi, common in airports, coffee shops or restaurants) have access to view, and in some cases even change, the details of flight bookings or boarding passes.
The security agency Wandera says that eight airlines have been sending out links to make the check-in is not encrypted, through its systems of electronic tickets. Companies mentioned in this report are: Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa.
“Our threat researchers discovered that these carriers have been sent to passengers links of billing unencrypted,” said Liarna La Porta, part of the team Wandera, told Threat Post. “Clicking on these links is not encrypted, a passenger is directed to a site where you sign in automatically at the check-in for your flight and, in some cases, you can make certain changes in your booking and print the boarding passes”.
Essentially, this flaw could allow a hacker to intercept easily a link to check-in and get access to the information of the passenger. According to the report, the hacker could see all the personal data associated with the booking of the airline, including the full name, confirmation number and frequent flyer number.
But the potential risks associated with this failure to go beyond simple, basic data. Wandera prevents that, using these credentials, the attacker could enter the system of electronic tickets and access to all personally identifiable information associated with the flight booking which includes the passenger’s name and his e-mail, and even the number of the document required by the airlines to be able to buy a ticket, that is to say, the ID or passport and its expiration date.
With respect to the specific trip, you could also have access to the numbers and flight times, boarding passes and seat assignments. In some cases, you could even add or remove additional baggage, to change the assigned seats and to change the mobile phone number or email address associated with the reservation.
The researchers of Wandera said that they notified all airlines are impacted, as well as to the “relevant government agencies”, on this security issue, after you identify the failures in early December of 2018.
“Wandera has a strict process of responsible disclosure that we follow in situations like this,” the researchers said. “Once that is reported to the affected vendor, we give a term of up to four weeks to provide a patch or another solution relevant, before disclosing the vulnerability to alert the public.”
Because of the way that exploits this vulnerability, it is unlikely that they can launch some kind of attack, but could also affect travelers at the individual level. To avoid this type of problems, it is important to make sure to visit only the links on a secure network, avoiding options public Wifi, or to perform the transactions via telephone, or if possible, in person, or use apps lock to protect your safety.
Recommendations of the editor