[BreachExchange] Airline e-ticketing systems put passenger data at risk

[Destry Winant]

https://betanews.com/2019/02/06/airline-eticketing-passenger-risk/

Airlines could be putting the personal data of their passengers at
risk by using unencrypted links, according to a new report.

Researchers at security and data management company Wandera have
uncovered a vulnerability affecting a number of e-ticketing systems
that could allow third parties to view, and in some cases even change,
a user's flight booking details, or print their boarding passes.

The problem affects a number of major airlines including Southwest,
Air France, KLM and Thomas Cook. All of these have sent unencrypted
check-in links to passengers. On clicking these links, a passenger is
directed to a site where they are logged in automatically to the
check-in for their flight, and in some cases they can then make
changes to their booking.

A hacker can therefore potentially intercept the credentials that
allow access to the e-ticketing system, which contains all of the PII
associated with the airline booking. There is also potential for a
hacker or criminal to print a victim's boarding pass and attempt to
board a scheduled flight.

Wandera initially identified the vulnerability in early December 2018.
It has been responsibly disclosed to the airlines affected as well as
to the relevant government agencies that are responsible for airport
security.

The company recommends that airlines should use encryption and require
users to login at all stages where PII is accessible, as well as using
one-time tokens for links in emails.