Wandera cyber security experts discovered a new flaw in the airline e-ticketing systems that could expose passengers’ personally identifiable information (PII)
A new cyber security flaw in the airline e-ticketing systems poses again the travelers privacy at risk. Wandera experts discovered a vulnerability that could expose personally identifiable information (PII) of passengers. This, by using links that enable unauthorized third parties to view, and in some cases even change, a user’s flight booking details, and/or print their boarding passes. According to the company’s blog, at the time of research, the following airlines have been sending some unencrypted check-in links through their e-ticketing systems: Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia, and Air Europa. The airlines have sent unencrypted check-in links to passengers. Upon clicking on them, passengers are directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make changes to booking and print off the boarding pass.
Less than one month ago, more than 140 International companies could have suffered a major security breach
Less than one month ago, another cyber security threat on airlines emerged. More than 140 International companies could have suffered a major security breach. Thanks to a flaw in the Amadeus online reservation system, the malicious hackers could have access to private information of flight bookings made by millions of customers. It has been discovered by the cyber security expert and hactivist, Noam Roten, who works at Safety Detective’s research labs. The system controls over 44% of the of the international carriers market, and the vulnerability potentially affects tens of millions of travelers. As described, the security bug was found when trying to book a flight on the EL AL airline, Israel’s national carrier, which sent the security researchers a link to check the PNR: “https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE”. From there it was only a matter of changing the RULE_SOURCE_1_ID, which allowed them to view any Passenger Name Record (PNR), giving them access to the passengers’ names as well as to all associated flight details.