Airline e-ticketing systems put passenger data at risk
Airlines could be putting the personal data of their passengers at risk by using unencrypted links, according to a new report.
Researchers at security and data management company Wandera have uncovered a vulnerability affecting a number of e-ticketing systems that could allow third parties to view, and in some cases even change, a user's flight booking details, or print their boarding passes.
The problem affects a number of major airlines including Southwest, Air France, KLM and Thomas Cook. All of these have sent unencrypted check-in links to passengers. On clicking these links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make changes to their booking.
A hacker can therefore potentially intercept the credentials that allow access to the e-ticketing system, which contains all of the PII associated with the airline booking. There is also potential for a hacker or criminal to print a victim's boarding pass and attempt to board a scheduled flight.
Wandera initially identified the vulnerability in early December 2018. It has been responsibly disclosed to the airlines affected as well as to the relevant government agencies that are responsible for airport security.
The company recommends that airlines should use encryption and require users to login at all stages where PII is accessible, as well as using one-time tokens for links in emails.
You can find more details on the Wandera blog.