The world’s top companies use wandera Learn Why Try Wandera for Free

The lowest cost for your vacation. The only catch? Leaking credentials

The lowest cost for your vacation. The only catch? Leaking credentials

1400 937 Michelle Base-Bursey

It has become common practice when booking a trip to surf multiple websites in order find the most favourable price for your flight, car and hotel.

Travelers today are willing to look far and wide to find the best deal, even if it means leaving their comfort zone of ‘typical travel websites’ to get it. Little do they know, they may be putting themselves at risk.

Wandera researchers have discovered a data leak in the mobile microsite of a travel website called bookairfare.com (m.bookairfare.com). This is due to the transfer of personally identifiable information (PII) and credit card details unencrypted over the internet.

Bookairfare.com

Bookairfare.com, in operation since 2006, is a travel website that enables users to book their car, hotel and flight for their upcoming vacations.

Bookairfare.com was founded on the fundamental principle of giving customers access to the lowest fares without compromising great service. It utilizes a proprietary search technology to find the cheapest travel options available for users.

The site is popular in North America, particularly in the US. Bookairfare.com positions itself as the first completely independent flight booking engine, and doesn’t believe in hidden fees or the ‘bait and switch’ approach. It claims to present users with the lowest possible prices upfront.

The data leak

The primary vulnerability in the mobile website has been identified by MI:RIAM as the transmission of customer PII and credit card information over the insecure and unencrypted HTTP channel. During the booking request, the user’s information travels over the internet in plaintext, making its exposure to third parties very likely.

It’s important to note that the data leak is occurring only on the mobile site. If the website is visited from a laptop or desktop, users’ information remains secure as it is transferred over the encrypted HTTPS channel.

The PII exposed during the booking request on the mobile site includes:

  • Name
  • Surname
  • Credit card number
  • Credit card expiry date
  • Credit card security code
  • Billing address details
  • Address line 1
  • Address line 2
  • City
  • Zip/postal code
  • Country
  • State

The implications

The leaking of credit card information as well as user PII is a dangerous combination.

If hackers are able to set up the relatively simple process of intercepting mobile traffic (for instance, when the device is connected to a public Wi-Fi network) they will be able to see the above information in plaintext, travelling over the air. The hacker can then instantly begin using the stolen credit card information while the user remains none the wiser.

When using a mobile device to access bookairfare.com, users are automatically re-directed to the mobile version of the website, even if they attempt to type the normal “www.bookairfare.com” web address directly into the browser. This makes the security risk very difficult to avoid.

Keeping yourself protected

Wandera has already detected a number of enterprise users visiting this mobile website who, without the mobile security service deployed, would have had their credit card information and PII leaked.

Users should have an active mobile security service deployed to monitor and block data leaks. They should also avoid using the website over public and potentially insecure Wi-Fi hotspots in order to minimize the risk of traffic interception.

The developers of the bookairfare.com are advised to utilize SSL/TLS in order to protect the transmission of personally identifiable user information, session tokens, or other sensitive data to a backend API or web service.

Responsible disclosure

We attempted to contact bookairfare.com twice over a two month period, notifying them of the data leak both times. We received no response.

The latest mobile threats that you should know about

Our Threat Advisories present useful information on new mobile threats, their implications and practical steps for remediation and prevention, enabling you to swiftly address each new threat before it impacts your business.

Learn MORE