Wandera’s threat research team has discovered a vulnerability affecting a number of airline e-ticketing systems that can expose passengers’ personally identifiable information (PII). This vulnerability can expose passenger data by using links that are easily intercepted by hackers. The intercepted and unencrypted links enable unauthorized third parties to view, and in some cases even change, a user’s flight booking details, and/or print their boarding passes.

Airlines affected

At the time of research, Wandera identified that the following airlines have been sending some unencrypted check-in links through their e-ticketing systems:

  • Southwest (world’s largest low-cost airline, HQ in the US)
  • Air France (major carrier in France)
  • KLM (major carrier in the Netherlands)
  • Vueling (low-cost airline in Spain)
  • Jetstar (low-cost airline in Australia)
  • Thomas Cook (British charter airline)
  • Transavia (Dutch low-cost airline)
  • Air Europa (third largest airline in Spain)

How it works

Our threat researchers discovered that these airlines have sent unencrypted check-in links to passengers. Upon clicking these unencrypted links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make certain changes to their booking and print off the boarding pass.

A hacker on the same network as the passenger can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in.

What data could hackers access?

Once the vulnerable check-in link is accessed by the passenger, a hacker can easily intercept the credentials that allow access to the e-ticketing system, which contains all of the PII associated with the airline booking. Using these credentials, the attacker can visit the e-ticketing system at any point, even multiple times, prior to the flight taking off and access all the PII associated with the airline booking.

Passenger PII Exposed: Online Check-in

data exposed
Above: Actual screenshot of a user check-in session for a Southwest Airlines flight. 

The different types of data that could be exposed include:

  • Email Addresses
  • First Names
  • Last Names
  • Document Numbers (Passport/ID)
  • Document Issuing Countries
  • Document Expiration Dates
  • Booking References
  • Flight Numbers
  • Flight Times
  • Seat Assignments
  • Baggage Selections
  • Full Boarding Passes
  • Details of travel companies on the same booking

All of the major airlines that we identified are putting passenger data at risk. However, there are differences in the types of data that are exposed by each individual airline e-ticketing system.

Seat Tampering Risks

seat changeAbove: Actual screenshots of a user check-in for an Air France flight. 

Threat research timeline and responsible disclosure

Wandera initially identified the vulnerability in early December 2018. Our threat research team observed that travel-related passenger details were being sent without encryption as one of our secured customers accessed the e-ticketing system of one of the airlines mentioned above. It was at that time that Wandera notified the airline and began further research.

Further investigations were then launched to determine if any additional airline e-ticketing systems were similarly vulnerable. We discovered that multiple airlines had similar issues with their e-ticketing systems. Documentation and responsible disclosure were carried out in tandem. Wandera has a strict responsible disclosure process that we follow in situations like this. Once the affected vendor is notified, we will allow up to four weeks for the vendor to provide a patch or other relevant fix before we disclose the vulnerability to alert the public.

Wandera also shared its findings with relevant government agencies that are responsible for airport security.

What are the implications?

Once a hacker has hijacked a passenger’s check-in, they not only have access to some of the PII listed above, but in some cases they can also add or remove extra bags, change allocated seats and change the mobile phone number or email associated with the booking.

Recent reports of a man who was able to board the wrong flight raise questions about the varied quality of boarding pass screening at the gates of some airports. That is why the most concerning aspect of this vulnerability is the possibility for a hacker or criminal to print a victim’s boarding pass and attempt to board a scheduled flight.

Our recommendations

  • Airlines should adopt encryption throughout the check-in process
  • Airlines should require user authentication for all steps where PII is accessible and especially when it is editable
  • Airlines should utilize one-time use tokens for direct links within emails
  • Users should have an active mobile security service deployed to monitor and block data leaks and phishing attacks

Appendix

Air France-KLM issued this statement in response to our findings.

Which airlines leak what information? Anonymized details below.

Airline 1

  • Customer’s Home Address
  • Booking Number
  • Flight Details
  • First Name
  • Last Name
  • Date of Birth
  • Price of All Services

Airline 2

  • Booking Reference
  • First Name
  • Last Name
  • Email Address
  • Mobile Phone Number
  • Flight Number
  • Flight Times
  • Seat Number
  • Number of Baggage Items

Airline 3

  • Full Boarding Pass
  • Confirmation Number
  • First Name
  • Last Name
  • Flight Number
  • Seat Number
  • Baggage Allowance

Airline 4

  • Full Boarding Pass
  • Gender
  • Date of Birth
  • Nationality
  • Document Numbers (Passport/ID)
  • Document Expiration Date
  • Frequent Flyer Card Number
  • Email
  • Mobile Phone Number
  • Flight Number
  • Flight Times
  • Seat Number
  • Baggage Allowance

Airline 5

  • Full Boarding Pass
  • Email Address
  • First Name
  • Last Name
  • Document Numbers (Passport/ID)
  • Document Issuing Country
  • Document Expiration Date
  • Booking Reference
  • Flight Number
  • Flight Times
  • Seat Number
  • Baggage Allowance

Airline 6

  • First Name
  • Last Name
  • Mobile Phone Number
  • Flight Details
  • Boarding Pass
  • Price of Trip
  • Email
  • Credit Card Partial Details (Type of Card, Last 4 Digits of Card, Card Holder Name)

Airline 7

  • Boarding Pass
  • Last Name
  • Booking Number

Airline 8

  • Last Name
  • Booking Reference