Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Major Airlines at Risk From Check-In System Flaw, Wandera Reports

    By
    Sean Michael Kerner
    -
    February 6, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Airline Laptop Ban

      Among the conveniences offered in modern air travel is the ability to get an e-ticket, providing access to a travel reservation and seat check-in information. As it turns out, for some major airlines, that passenger convenience hasn’t been properly secured, exposing users and airlines alike to risk.

      Security firm Wandera reported on Feb. 6 that it discovered an airline check-in vulnerability impacting multiple airlines, including Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa. The flaw is a relatively simple one, as the airlines have been emailing unencrypted check-in links to passengers. Since the links are unencrypted, they could be intercepted or reused by an unauthorized third party to change the details for a reservation and gain access to user information.

      “Our researchers observed unencrypted network traffic going to airline servers that was consistent with sensitive content,” Michael Covington, vice president of product at Wandera, told eWEEK. “Upon further investigation, we found that this data—suspicious parameters on a URL string—was actually being used to transparently authenticate the user into the e-ticketing website.”

      Wandera offers a mobile security solution that includes data leak protection. Covington noted that the Wandera technology specifically monitors for personally identifiable information (usernames, passwords, credit card numbers, etc.) that may be sent across the network—either by native mobile apps or in a browser—without encryption.

      Covington said that by not limiting the e-ticketing check-in URLs to one-time use, the airlines open their e-ticketing systems up to a replay attack that allows an attacker to easily gain access to passenger accounts.

      Disclosure

      Wandera went through the process of responsibly disclosing the flaw to the impacted airlines in December 2018 and January 2019.

      “We have been in communication with a some of the airlines as they respond to our responsible disclosure and investigate how to fix the vulnerability,” Covington said. 

      Although Wandera has warned the airlines of the risk, Covington noted the researchers have not been able to verify that all of the needed fixes have been implemented. At this point, it’s also unclear if the unencrypted URLs have ever been used maliciously. Covington said Wandera does not have any evidence of this vulnerability being exploited and only the airlines can comment on any misuse that has occurred to date.

      “I think there are a lot of people out there who would try to profit from the sale of passenger data,” he said. 

      As to why the flaw is present in the first place, Covington said he’s fairly confident that this vulnerability impacts more than one platform. While a subset of the airlines may use a common platform, there are sufficient variations in how these systems communicate that he believes there to be several e-ticketing systems involved.

      “I suspect this boils down to an industry-wide decision to make online check-in easy; they’ve essentially prioritized usability over security,” he said. “The entire problem goes away if they simply made the e-mail/SMS links one-time use.”

      What’s the Lesson Here?

      With regard to lessons for the airlines, Covington has a few key suggestions:

      • Encrypt everything. This vulnerability surfaced because the airlines fail to use encryption to protect sensitive parameters that uniquely identify passengers.
      • Adopt one-time use tokens for access to e-ticketing systems. This vulnerability could be addressed—even without encryption—by simply preventing a check-in link from being reused. The links provided to passengers in email and SMS that initiate the check-in process should be one-time use.

      There are also a few key recommendations for passengers to help reduce any potential risk.

      “Treat links that provide access to e-ticketing like they are passwords,” he said. “Be mindful of the device being used to access these links and the networks you’re associated with when performing these transactions.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×