Anyone that has flown for work will know that business trips are stressful enough as they are. Companies and employees shouldn’t have the added pressure of worrying about how the airlines they choose to fly with are handling their personal data.

Researchers at Wandera have discovered a vulnerability in Scandinavian Airlines’ (SAS) mobile apps that puts the personal data of passengers at risk of theft.
Considering that SAS is the largest airline in Scandinavia, the potential impact of this vulnerability is significant.
Read the Threat Advisory

How does it happen?

When a user registers for an account with SAS via the iOS or Android apps, the information they enter – such a username and password – is being sent unencrypted across the internet.
This means the personally identifiable information (PII) of passengers can easily be harvested by any hacker intercepting their mobile traffic. As we’ve demonstrated before, it is not difficult to be fooled by a spoof Wi-Fi hotspot labelled “Free Wi-Fi”; one that has been set up by a hacker for malicious purposes using cheap and accessible equipment.
Furthermore, the Web API that is used by the SAS apps can be accessed via the HTTP protocol, which makes the mobile apps susceptible to an HTTPS downgrade attack.
In this type of attack, an attacker is able to replace all HTTPS links with HTTP instead, thus allowing the attacker to access sensitive information.

What is being exposed?

When a user registers the app and creates an account the following PII is exposed:

  •      Username
  •      Password
  •      E-mail
  •      First name, Last name
  •      Date of Birth
  •      Mailing Address
  •      Postal Code
  •      City
  •      Country
  •      Mobile phone number

What can you do?

SAS customers should avoid using the apps over public and potentially insecure Wi-Fi hotspots to minimize the risk of traffic interception.
Furthermore, businesses with staff flying via SAS should have an active mobile security service deployed to monitor for data leaks.
Wandera offers a service that leverages some new iOS features to further bolster our core threat prevention capabilities. We are now proactively able to warn a user if they are joining a potentially insecure Wi-Fi network and therefore offer even better protection from threats such as man-in-the-middle, ahead of the attack.
[text-blocks id=”threat-advisories”]