A significant flaw in Delta airlines site allowed passengers to view others boarding passes

December 19, 2014 |

In Delta site flaw lets passengers access others’ boarding passes Itnews reports on a significant weakness in Delta’s website which enabled passengers to access the boarding passes of others.  Clearly this is a significant privacy violation.  While the vulnerability was fixed it is indicative of problems with organisations failing to review their web site interface to check for vulnerability.

The article provides:

Online check-in system vulnerability discovered.

 A vulnerability in the website of American airline Delta allowed the airline’s passengers to view and alter other travellers’ boarding passes without their knowledge.

Hackers of New York founder Dani Grant this week revealed what appears to be a direct object reference vulnerability in Delta airline’s website that allows passengers of the airline to access others’ boarding passes by changing the URL.

The flaw also made it possible to view boarding passes of travellers on other airlines, Grant claimed, and to check in passengers online.

Grant contacted Delta but only received a response apologising for her “unfortunate online experience”. The airline didn’t otherwise acknowledge the severity of the vulnerability.

“I certainly understand how insecure you must have felt due to the unpleasant incident you experienced while trying to view and print boarding pass [sic] form our website,” a representative from Delta wrote to Grant in an email.

iTnews has contacted Delta for comment. The airline reportedly implemented a fix soon after being made aware of the security issue.

In 2006, privacy researcher and current chief technology officer at the American Civil Liberties Union, Chris Soghoian, was raided by the FBI and the Transport Safety Authority after he showed it was possible to alter and create boarding passes in a similar manner to what Grant has shown with Delta.

Soghoian created a valid boarding pass in the name of the late Osama bin Laden on Northwest Airlines to prove his point.

By using a prepaid credit card paid for in cash and a fake passenger name with matching forged identification, Soghoian said it was possible to get around no-fly list restrictions through airlines’ online check-in systems.

He went on to write a research paper at Yale University on the subject of bad boarding pass security and ineffective terrorist watch lists.

 

One Response to “A significant flaw in Delta airlines site allowed passengers to view others boarding passes”

  1. A significant flaw in Delta airlines site allowed passengers to view others boarding passes | Australian Law Blogs

    […] A significant flaw in Delta airlines site allowed passengers to view others boarding passes […]

Leave a Reply





Verified by MonsterInsights