You would like to think that airlines are taking security seriously.
After all, every time you try to board a plane you’re asked to take off your belt and shoes, prove that your laptops boot up, discard any liquids that weren’t bought in Duty Free, and dispose of your toenail clippers.
Which makes it all the more ironic that it appears some airlines make it so darn easy to grab a complete strangers’ electronic boarding pass.
Dani Grant, the founder of Hackers of NY and an intern at Buzzfeed (which can’t have hurt at all in getting the story the attention it deserved) discovered that it was child’s play to access someone else’s boarding pass – just by changing the URL that Delta Airlines had sent her.
Indeed, she found she could even end up with tickets for a completely different airline
As Dani Grant reported, she had the capability to even check in as the strangers and change their seat.
The mind boggles at the stupidity of the boarding pass website having this fundamental error in its design – known as insecure direct object references.
These type of vulnerabilities works like this.
A website gives you a URL to access your private information (such as your airline ticket).
The URL might take the form of something like this, where 123456 is your account number:
http://example.com/app/accountInfo?acct=123456
If the website does not properly authenticate if you are allowed to access that particular account (for instance, by asking for a password or requiring an additional token based upon a cryptic hash), then it`s child`s play for someone to simply change the account number in the URL.
For instance, here the account ID has been changed to access other users` information:
http://example.com/app/accountInfo?acct=123457
http://example.com/app/accountInfo?acct=123458
You hardly have to be an elite hacker to change a URL and access someone else’s boarding pass.
Clearly Delta’s customer support team didn’t understand the severity of what was being reported to them, with their response which failed to say that they would be getting the site fixed before it could be abused.
Hopefully whoever was responsible for the website has had a sharp kick up the backside about security, and won’t make this elementary mistake again. Websites containing sensitive information must be properly engineered to protect users` privacy and treat security as a high priority.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsSeptember 06, 2024
September 02, 2024