The world’s top companies use wandera Learn Why Try Wandera for Free

Another airline winging it with data privacy

Another airline winging it with data privacy

1920 1200 Liarna La Porta

Giving up personal information online has become part of daily life. The more information service providers know about us, the better they can serve us. But this seemingly harmless exchange has its perils. GOL Airlines, Brazil’s second largest carrier, provides a forward-thinking service to its customers, including a mobile check-in service and mobile geolocation services to help passengers estimate travel time to the airport and remember where they parked their cars.

These benefits can only be delivered in exchange for passenger details. But what happens when the information isn’t being adequately secured?

Wandera researchers have discovered multiple data leaks coming through GOL’s Android and iOS mobile apps.

Download the full Threat Advisory

GOL airlines

How does the GOL Airlines leak work?

The GOL apps were found to be transferring information insecurely via the HTTP protocol, exposing personally identifiable information (PII) such as usernames and passwords to both attackers and third-party observers on the same network.

In addition, Cross Site Scripting (XSS) vulnerabilities on the Gol Airlines website allow an attacker to compromise user sessions by using malicious code that runs on the client-side.

This could be implemented as a crafted link containing malicious JavaScript that an attacker sends to the victim; when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.

Since cookies are used as a session management mechanism, it is possible for an attacker to create a specific JavaScript code that will return the user’s cookie. As a result, the attacker can gain unauthorized access to the user’s personal account and impersonate the user.

It was also discovered that the URL for generating the QR Codes used on boarding passes is open to abuse, allowing anyone to pass modified information and generate different QR codes or spoof one belonging to another traveler.

gol_new_1

What is being exposed by the GOL Airlines app?

PII that is exposed during a login request on both Android and iOS includes:

  • Email
  • Password
  • IP address

PII that is exposed during the check-in process on both Android, iOS and the website includes:

  • First name, last name
  • Identity card / passport number
  • Departure station
  • Arrival station
  • QR code
  • Customer ID
  • Reservation number
  • Emergency contact details, including names, phone number, and date of birth

What can you do to avoid being impacted by the GOL Airlines leak?

GOL Airlines passengers are advised to avoid using the web services over public and potentially insecure Wi-Fi hotspots in order to minimize the risk of traffic interception.

Businesses should have an active mobile security service deployed to monitor for data leaks.

The latest mobile threats that you should know about

Our Threat Advisories present useful information on new mobile threats, their implications and practical steps for remediation and prevention, enabling you to swiftly address each new threat before it impacts your business.

Learn MORE

Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides. An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta
Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides. An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta