Peter A Clarke

In Delta site flaw lets passengers access others’ boarding passes Itnews reports on a significant weakness in Delta’s website which enabled passengers to access the boarding passes of others.  Clearly this is a significant privacy violation.  While the vulnerability was fixed it is indicative of problems with organisations failing to review their web site interface to check for vulnerability.

The article provides:

Online check-in system vulnerability discovered.

Hackers of New York founder Dani Grant this week revealed what appears to be a direct object reference vulnerability in Delta airline’s website that allows passengers of the airline to access others’ boarding passes by changing the URL.

The flaw also made it possible to view boarding passes of travellers on other airlines, Grant claimed, and to check in passengers online.

“I certainly understand how insecure you must have felt due to the unpleasant incident you experienced while trying to view and print boarding pass [sic] form our website,” a representative from Delta wrote to Grant in an email.

iTnews has contacted Delta for comment. The airline reportedly implemented a fix soon after being made aware of the security issue.

In 2006, privacy researcher and current chief technology officer at the American Civil Liberties Union, Chris Soghoian, was raided by the FBI and the Transport Safety Authority after he showed it was possible to alter and create boarding passes in a similar manner to what Grant has shown with Delta.

Soghoian created a valid boarding pass in the name of the late Osama bin Laden on Northwest Airlines to prove his point.

By using a prepaid credit card paid for in cash and a fake passenger name with matching forged identification, Soghoian said it was possible to get around no-fly list restrictions through airlines’ online check-in systems.

He went on to write a research paper at Yale University on the subject of bad boarding pass security and ineffective terrorist watch lists.