Wandera’s threat research team has discovered a vulnerability affecting British Airways’ e-ticketing system that exposes passengers’ personally identifiable information (PII).

Airline check-in links that are unencrypted and easily intercepted enable unauthorized third parties to view and change passengers’ flight booking details and personal information.

How it works

Our threat researchers discovered that the vulnerable check-in links are being sent by British Airways to their passengers via email.

In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight.

The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted.

Therefore, someone snooping on the same public Wi-Fi network can easily intercept the link request, which includes the booking reference and surname and use these details to gain access to the passenger’s online itinerary in order to steal even more information or manipulate the booking information.

What are the implications?

Once the attacker has access on the victim’s account they can steal the following passenger information:

  • Email Address
  • Telephone Number
  • BA Membership Numbers
  • First Name
  • Last Name
  • Booking Reference
  • Itinerary
  • Flight Number
  • Flight Times
  • Seat Number
  • Baggage Allowance

Responsible disclosure

In July 2019, our threat research team observed that passenger details were being sent unencrypted when a user on our network accessed the British Airways e-ticketing system. It was at that time that Wandera notified the airline of the vulnerable link.

Wandera discovered a similar check-in link vulnerability affecting eight major airlines in February 2019, including: Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa, and Transavia. All airlines were notified and urged to take action to secure the check-in links.

Our recommendations

  • Airlines should adopt encryption throughout the check-in process
  • Airlines should require explicit user authentication for all steps where PII is accessible and especially when it is editable
  • Airlines should utilize one-time use tokens for direct links within emails
  • Users should have an active mobile security service deployed to monitor and block data leaks and phishing attacks