Airline e-ticket systems’ vulnerabilities could compromise PII to hackers

Mar 12, 2019, 11:34 am EDT | Anthony Kimery

Eight airline’s e-ticketing systems can expose passengers’ Personally Identifiable Information (PII) through a vulnerability using website links that are “easily intercepted by hackers,” according to Wandera, an enterprise mobile security and data management solutions company, in a recent report.

“All of the major airlines that we identified are putting passenger data at risk,” Wandara said.

The company said its threat research team discovered the vulnerability. “The intercepted and unencrypted links enable unauthorized third parties to view, and in some cases even change, a user’s flight booking details, and/or print their boarding passes,” the report explained.

A hacker can therefore potentially intercept the credentials that allow access to the e-ticketing system, which contains all of the PII associated with the airline booking.

Wandera said it “shared its findings with relevant government agencies that are responsible for airport security.”

Requests for comment from the Transportation Security Administration (TSA) weren’t immediately available, but the Government Accountability Office (GAO) has discussed similar problems in audit reports to Congress.

A year ago, Independent Security Evaluators (ISE) examined popular open-source ticketing software, osTicket, and reported they’d identified a “number” of security flaws, and had provided Enhancesoft, the company sponsoring osTicket’s development, with information about the vulnerabilities and how to reproduce them.

Wandera said “at the time of research” it’s team “identified [the 8] airlines have been sending some unencrypted check-in links through their e-ticketing systems … Our threat researchers discovered that these airlines have sent unencrypted check-in links to passengers. Upon clicking these unencrypted links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make certain changes to their booking and print off the boarding pass,” and that, “A hacker on the same network as the passenger can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in.”

Wandera said the effected airlines are:

• Southwest (world’s largest low-cost airline);
• Air France;
• KLM;
• Vueling (low-cost airline in Spain);
• Jetstar (low-cost airline in Australia);
• Thomas Cook (British charter airline);
• Transavia (Dutch low-cost airline); and
• Air Europa (third largest airline in Spain)

“Once the vulnerable check-in link is accessed by the passenger, a hacker can easily intercept the credentials that allow access to the e-ticketing system, which contains all of the PII associated with the airline booking,” Wandera disclosed. “Using these credentials, the attacker can visit the e-ticketing system at any point, even multiple times, prior to the flight taking off and access all the PII associated with the airline booking.”

The different types of data that could be exposed, the company said, include:

• Email addresses;
• First names;
• Last names;
• Document numbers (Passport/ID);
• Document issuing countries;
• Document expiration dates;
• Booking references;
• Flight numbers;
• Flight times;
• Seat assignments;
• Baggage selections;
• Full boarding passes; and
• Details of travel companies on the same booking

Clearly experts have said, a great deal of PII can, and could, be gleaned from access to this data.

Wandara said even though each of the major airlines it identified as putting passenger data at risk, the firm noted “there are differences in the types of data that are exposed by each individual airline e-ticketing system.”

Continuing, Wandera stated, it “initially identified the vulnerability in early December 2018,” and that its “threat research team observed that travel-related passenger details were being sent without encryption as one of our secured customers accessed the e-ticketing system of one of the airlines mentioned above. It was at that time that Wandera notified the airline and began further research.”

According to Wandera, “Further investigations were then launched to determine if any additional airline e-ticketing systems were similarly vulnerable. We discovered that multiple airlines had similar issues with their e-ticketing systems. Documentation and responsible disclosure were carried out in tandem. Wandera has a strict responsible disclosure process that we follow in situations like this. Once the affected vendor is notified, we will allow up to four weeks for the vendor to provide a patch or other relevant fix before we disclose the vulnerability to alert the public.”

According to Wandera, “Once a hacker has hijacked a passenger’s check-in, they not only have access to some of the PII listed above, but in some cases they can also add or remove extra bags, change allocated seats and change the mobile phone number or email associated with the booking.”

Wandera recommended:

• Airlines should adopt encryption throughout the check-in process;
• Airlines should require user authentication for all steps where PII is accessible and especially when it is editable;
• Airlines should utilize one-time use tokens for direct links within emails; and,
• Users should have an active mobile security service deployed to monitor and block data leaks and phishing attacks.