Giving up personal information online has become part of daily life. The more information service providers know about us, the better they can serve us. But this seemingly harmless exchange has its perils. GOL Airlines, Brazil’s second largest carrier, provides a forward-thinking service to its customers, including a mobile check-in service and mobile geolocation services to help passengers estimate travel time to the airport and remember where they parked their cars.

These benefits can only be delivered in exchange for passenger details. But what happens when the information isn’t being adequately secured?
Wandera researchers have discovered multiple data leaks coming through GOL’s Android and iOS mobile apps.
Download the full Threat Advisory
GOL airlines

How does the GOL Airlines leak work?

The GOL apps were found to be transferring information insecurely via the HTTP protocol, exposing personally identifiable information (PII) such as usernames and passwords to both attackers and third-party observers on the same network.
In addition, Cross Site Scripting (XSS) vulnerabilities on the Gol Airlines website allow an attacker to compromise user sessions by using malicious code that runs on the client-side.
This could be implemented as a crafted link containing malicious JavaScript that an attacker sends to the victim; when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.
Since cookies are used as a session management mechanism, it is possible for an attacker to create a specific JavaScript code that will return the user’s cookie. As a result, the attacker can gain unauthorized access to the user’s personal account and impersonate the user.
It was also discovered that the URL for generating the QR Codes used on boarding passes is open to abuse, allowing anyone to pass modified information and generate different QR codes or spoof one belonging to another traveler.

What is being exposed by the GOL Airlines app?

PII that is exposed during a login request on both Android and iOS includes:

  • Email
  • Password
  • IP address

PII that is exposed during the check-in process on both Android, iOS and the website includes:

  • First name, last name
  • Identity card / passport number
  • Departure station
  • Arrival station
  • QR code
  • Customer ID
  • Reservation number
  • Emergency contact details, including names, phone number, and date of birth

What can you do to avoid being impacted by the GOL Airlines leak?

GOL Airlines passengers are advised to avoid using the web services over public and potentially insecure Wi-Fi hotspots in order to minimize the risk of traffic interception.
Businesses should have an active mobile security service deployed to monitor for data leaks.
[text-blocks id=”threat-advisories”]