Among the conveniences offered in modern air travel is the ability to get an e-ticket, providing access to a travel reservation and seat check-in information. As it turns out, for some major airlines, that passenger convenience hasn’t been properly secured, exposing users and airlines alike to risk.
Security firm Wandera reported on Feb. 6 that it discovered an airline check-in vulnerability impacting multiple airlines, including Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa. The flaw is a relatively simple one, as the airlines have been emailing unencrypted check-in links to passengers. Since the links are unencrypted, they could be intercepted or reused by an unauthorized third party to change the details for a reservation and gain access to user information.
“Our researchers observed unencrypted network traffic going to airline servers that was consistent with sensitive content,” Michael Covington, vice president of product at Wandera, told eWEEK. “Upon further investigation, we found that this data—suspicious parameters on a URL string—was actually being used to transparently authenticate the user into the e-ticketing website.”
Wandera offers a mobile security solution that includes data leak protection. Covington noted that the Wandera technology specifically monitors for personally identifiable information (usernames, passwords, credit card numbers, etc.) that may be sent across the network—either by native mobile apps or in a browser—without encryption.
Covington said that by not limiting the e-ticketing check-in URLs to one-time use, the airlines open their e-ticketing systems up to a replay attack that allows an attacker to easily gain access to passenger accounts.
Disclosure
Wandera went through the process of responsibly disclosing the flaw to the impacted airlines in December 2018 and January 2019.
“We have been in communication with a some of the airlines as they respond to our responsible disclosure and investigate how to fix the vulnerability,” Covington said.
Although Wandera has warned the airlines of the risk, Covington noted the researchers have not been able to verify that all of the needed fixes have been implemented. At this point, it’s also unclear if the unencrypted URLs have ever been used maliciously. Covington said Wandera does not have any evidence of this vulnerability being exploited and only the airlines can comment on any misuse that has occurred to date.
“I think there are a lot of people out there who would try to profit from the sale of passenger data,” he said.
As to why the flaw is present in the first place, Covington said he’s fairly confident that this vulnerability impacts more than one platform. While a subset of the airlines may use a common platform, there are sufficient variations in how these systems communicate that he believes there to be several e-ticketing systems involved.
“I suspect this boils down to an industry-wide decision to make online check-in easy; they’ve essentially prioritized usability over security,” he said. “The entire problem goes away if they simply made the e-mail/SMS links one-time use.”
What’s the Lesson Here?
With regard to lessons for the airlines, Covington has a few key suggestions:
- Encrypt everything. This vulnerability surfaced because the airlines fail to use encryption to protect sensitive parameters that uniquely identify passengers.
- Adopt one-time use tokens for access to e-ticketing systems. This vulnerability could be addressed—even without encryption—by simply preventing a check-in link from being reused. The links provided to passengers in email and SMS that initiate the check-in process should be one-time use.
There are also a few key recommendations for passengers to help reduce any potential risk.
“Treat links that provide access to e-ticketing like they are passwords,” he said. “Be mindful of the device being used to access these links and the networks you’re associated with when performing these transactions.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.