A vulnerability in numerous airline e-ticketing systems can expose customer data via unencrypted check-in links that hackers can easily intercept, researchers at Wandera said.
“The intercepted and unencrypted links enable unauthorized third parties to view, and in some cases even change, a user’s flight booking details, and/or print their boarding passes,” the researchers, who discovered the vulnerability in December, wrote in a blog post.
Airlines affected at the time of the discovery included Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa.
Once an unencrypted link is clicked, passengers are directed to check-in sites where they are automatically logged in and where they can make changes to a booking before printing boarding passes. “A hacker on the same network as the passenger can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in,” the researchers wrote.
Those credentials could then be used to go into the e-ticketing system and access PII, including names, email addresses, passport numbers, seat assignments and booking details.
Wandera researchers have discovered other airlines with similar issues but did not reveal their names until the vulnerabilities could be properly disclosed.
The discovery reinforces the importance of organizations vetting the security of third parties with which they share information. “News of this vulnerability illustrates how cyber gaps can lurk right under the noses of companies, opening the door to potentially devastating data breaches,” said Matan Or-El, CEO and co-founder of Panorays. “For this reason, organizations must be sure to not only thoroughly assess and continuously monitor their own cyber posture, but that of their third parties as well. Doing so allows companies to spot and mitigate vulnerabilities like these before they are exploited by cybercriminals.”