Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Major Airlines at Risk From Check-In System Flaw, Wandera Reports

    By
    SEAN MICHAEL KERNER
    -
    February 6, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Airline Laptop Ban

      Among the conveniences offered in modern air travel is the ability to get an e-ticket, providing access to a travel reservation and seat check-in information. As it turns out, for some major airlines, that passenger convenience hasn’t been properly secured, exposing users and airlines alike to risk.

      Security firm Wandera reported on Feb. 6 that it discovered an airline check-in vulnerability impacting multiple airlines, including Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa. The flaw is a relatively simple one, as the airlines have been emailing unencrypted check-in links to passengers. Since the links are unencrypted, they could be intercepted or reused by an unauthorized third party to change the details for a reservation and gain access to user information.

      “Our researchers observed unencrypted network traffic going to airline servers that was consistent with sensitive content,” Michael Covington, vice president of product at Wandera, told eWEEK. “Upon further investigation, we found that this data—suspicious parameters on a URL string—was actually being used to transparently authenticate the user into the e-ticketing website.”

      Wandera offers a mobile security solution that includes data leak protection. Covington noted that the Wandera technology specifically monitors for personally identifiable information (usernames, passwords, credit card numbers, etc.) that may be sent across the network—either by native mobile apps or in a browser—without encryption.

      Covington said that by not limiting the e-ticketing check-in URLs to one-time use, the airlines open their e-ticketing systems up to a replay attack that allows an attacker to easily gain access to passenger accounts.

      Disclosure

      Wandera went through the process of responsibly disclosing the flaw to the impacted airlines in December 2018 and January 2019.

      “We have been in communication with a some of the airlines as they respond to our responsible disclosure and investigate how to fix the vulnerability,” Covington said. 

      Although Wandera has warned the airlines of the risk, Covington noted the researchers have not been able to verify that all of the needed fixes have been implemented. At this point, it’s also unclear if the unencrypted URLs have ever been used maliciously. Covington said Wandera does not have any evidence of this vulnerability being exploited and only the airlines can comment on any misuse that has occurred to date.

      “I think there are a lot of people out there who would try to profit from the sale of passenger data,” he said. 

      As to why the flaw is present in the first place, Covington said he’s fairly confident that this vulnerability impacts more than one platform. While a subset of the airlines may use a common platform, there are sufficient variations in how these systems communicate that he believes there to be several e-ticketing systems involved.

      “I suspect this boils down to an industry-wide decision to make online check-in easy; they’ve essentially prioritized usability over security,” he said. “The entire problem goes away if they simply made the e-mail/SMS links one-time use.”

      What’s the Lesson Here?

      With regard to lessons for the airlines, Covington has a few key suggestions:

      • Encrypt everything. This vulnerability surfaced because the airlines fail to use encryption to protect sensitive parameters that uniquely identify passengers.
      • Adopt one-time use tokens for access to e-ticketing systems. This vulnerability could be addressed—even without encryption—by simply preventing a check-in link from being reused. The links provided to passengers in email and SMS that initiate the check-in process should be one-time use.

      There are also a few key recommendations for passengers to help reduce any potential risk.

      “Treat links that provide access to e-ticketing like they are passwords,” he said. “Be mindful of the device being used to access these links and the networks you’re associated with when performing these transactions.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×